News -

Assessing the cyber risks of connectivity in the healthcare sector

Our lives are more connected than ever – access to services and data is ubiquitous. IoT has had a large part to play in this as IoT devices are everywhere – in our homes, workplaces, dotted across our smart cities and towns.

The healthcare sector is no exception – access to patient services, GP practices and even your patient records, connectivity is becoming more widespread as people take a more proactive role in their wellbeing.

However, it’s important to consider the risks this connectivity and its underlying infrastructure brings, especially as sectors like healthcare increase their adoption of connected medical devices.

Providing a holistic view of connectivity in healthcare

Earlier this year, we partnered with The AbedGraham Group – a global healthcare IT and cyber security technology group, made up of physicians and security analysts.

A unique mix of clinical and technical expertise, our partnership with The AbedGraham Group gave us a great opportunity to provide a holistic view of the expanding connected healthcare space. For this, we decided to conduct a risk analysis of the F5 BIG-IP vulnerability and apply this to the healthcare system.

The F5 BIG-IP vulnerability

This vulnerability, which was disclosed in July by Positive Technologies, allows unauthenticated users to read and write files, execute commands and disable services through the BIG IP Traffic Management User Interface (TMUI).

This means that if the TMUI is exposed to the Internet, anyone that can access it would be able to take complete control of the device with full administrative privileges. And depending on the role the device plays and what it is connected to, it could facilitate further attacks and act as a backdoor into an internal network.

F5 BIG-IP vulnerability in a clinical and non-clinical scenario

Working with the AbedGraham Group, we carried out a qualitative and quantitative analysis to showcase the cyber security risks that can be associated with network infrastructure in healthcare within non-clinical and clinical scenarios.

The two scenarios we looked at were:

  • What would be the risk associated with this highly critical vulnerability being present on a F5 BIG-IP Load Balancer, which supports the handling and direction of inbound web traffic from its external facing websites for a healthcare system?
  • What would be the risk associated with this highly critical vulnerability present on a F5 BIG-IP Load Balancer which supports domain authentication and bandwidth management through the authentication server providing access to the Electronic Health Record (EHR) clinical application within a healthcare system?

From our analysis, we were able to map out the potential impact of the F5 BIG-IP vulnerability across both scenarios in the healthcare sector, and confirm risks associated to both the medical devices and the network infrastructure that supports these.

This included a disruption to the administrative workflows and communication in the first scenario, which could delay patients making it into the hospital setting and receiving timely care. In the second scenario, the vulnerability would impact a wider range of activities across inpatient, outpatient and community related settings.

Given the function that these devices have, and the network infrastructure that supports mission-critical clinical applications and systems, it’s never been more crucial to understand the technical risks.

Commenting on this research, Dr Saif Abed, director of cyber security advisory services at The AbedGraham Group said: “Now more than ever, leaders across healthcare organisations from the CISO to the Chief Medical Officer and CEO need to be able to understand cyber security in terms of patient safety and clinical service disruption. Our research demonstrates that network infrastructure can have a profound impact in both those areas perhaps even more so than vulnerabilities in actual medical devices in many instances.

“By working with NCC Group, we were able to explore these risks from a holistic perspective and quantify their potential impact in a way that can help streamline remediation activities where they matter most.”

Stuart Kurutac, senior security consultant at NCC Group added: “As healthcare settings become more connected, the need for enhanced security becomes even greater, especially when a patient’s health and life could be at risk.

“While traditional concerns have focused very much on the connected devices, our research with The AbedGraham Group has highlighted that we should never overlook the security risks associated with network infrastructure.”

To find out more about the research and results, download the whitepaper here.  

Topics

  • Technology, general

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

NCC Group named Authorized Lab by ioXt Alliance to enhance security standards in Internet of Things product development

​NCC Group has been named as an Authorized Lab by the ioXt Alliance, the Global Standard for IoT Security and the industry group dedicated to building confidence in Internet of Things products.

Investing in cyber security of connected health

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions

Security impact of IoT on the Enterprise

The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise environment. A core concern for businesses is therefore the risk of introducing Internet of Things (IoT) devices to the enterprise.

New IoT laws are an “encouraging step” towards improved consumer security

New proposed legislation, launched by the UK’s Digital Minister Margot James, has been published to help improve the security of internet of things (IoT) devices. This includes the introduction of a new labelling system for products to help users understand how secure they are.

NCC Group hails global advances in IOT security standards

Four months after the UK’s Department for Digital, Culture, Media and Sport finalised its Secure by Design Code of Practice, the global standards body, European Telecommunications Standards Institute (ETSI) has today (19 February) published its industry standard ‘Cyber Security for Consumer Internet of Things’.

Future regulatory framework for medical devices in the UK

As the UK Medicines and Healthcare products Regulatory Agency (MRHA) request views on how medical devices could be regulated across the UK in the future, we share our thoughts on the key elements to consider.

Looking back to look forward: predictions for 2021

​With the new year just around the corner, we decided to stop and take stock of how legislative measures and cyber security research have advanced to keep pace with the rapidly evolving cyber landscape. To start this process, we’re looking back at some of our most recent predictions to see how they’ve progressed and whether our research is contributing to making the world safer and more secure.

Related events

Cybersecurity in Healthcare

Event date 24 February 2021 13:00 – 14:00

Location Online