HHS HC3 Warns Healthcare of IoT Device, Open Web App Risks
Advisories Recommend Entities Take Steps for Prevention and MitigationFederal authorities are urging healthcare sector entities to be proactive in addressing security risks posed by internet of things devices and by open web applications.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an IoT advisory reminds medical entities about the risks posed by devices equipped with sensors, software and other technologies to connect and exchange data over the internet.
In addition, a separate threat brief about open web applications spotlights the Open Web Application Security Project's Top 10 List of security risks involving those applications.
That brief comes on the heels of HHS HC3 last month issuing an advisory urging healthcare sector entities to batten down their patient portals and other common web applications from cyberattacks (see: Feds Warn Healthcare Sector of Web Application Attacks).
IoT Advisory
HHS HC3 in its IoT advisory notes that common "smart" devices used for healthcare include patient blood pressure and heart rate monitors, glucometers and fitness trackers.
"Any device connected to the internet has the potential to be hacked and the internet of things is no exception," HC3 writes. "A compromise of these devices could lead to devastating damage including tampering with traffic lights, shutting down home security systems, and damage to human life."
Potential attacks involving these IoT devices include privilege escalation, man-in-the-middle, eavesdropping, distributed denial-of-service, brute force, firmware hijacking, as well as physical tampering, HHS HC3 says.
The advisory recommends that healthcare sector entities take critical steps to reduce the risk of IoT attacks. They include reducing the attack surface on IoT through network segmentation or splitting a network into multiple subnetworks to prevent the spread of malware, reduce congestion and limit failures.
"This way the IoT devices are isolated from other IT equipment in use. Organizations operating with no segmentation are at a greater risk of being compromised," HHS HC3 says.
Other steps HHS HC3 recommends healthcare sector entities take to reduce IoT risk include:
- Change default router settings.
- Use strong and unique passwords on each device.
- Avoid using universal plug and play, or UPnP.
- Keep software and firmware updated.
- Implement a zero trust model.
The security of IoT devices in healthcare can affect patient health, and even patient lives, some experts say.
Two of the highest concerns are unauthorized disclosure of confidential patient data and denial-of-service attacks, says Ryan Semerau, director of cloud security services at privacy and security consultancy Clearwater.
"Inaccurate, missing or falsified information can lead to misdiagnosis and mistreatment of patients or malfunction of equipment, which could seriously affect the health and safety of a patient," he says.
Organizations may open themselves to legal liabilities or government fines if they do not properly address these security concerns, he adds.
Web Application Risks
In its threat brief issued Thursday about open web application security, HC3 outlines the OWASP's Top 10 List of security risks involving web apps and application programming interfaces, urging healthcare sector entities to take actions to address those issues.
"The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications," HHS H3 says.
The federal brief describes the OWASP's Top 10 in detail and offers a variety of mitigation and prevention steps that healthcare entities can take to avoid security compromises involving those risks.
The top 10 OWASP web application risks, and samples of the various mitigations suggested by HC3, include:
- Broken access controls: Entities can take steps such as enforcing by domain models their unique application business limit requirements.
- Cryptographic failures: Keys should be generated randomly with cryptography and stored in memory as byte arrays.
- Injection: Reviewing source code is the best method of detecting if applications are vulnerable to injections.
- Insecure design: Use threat modeling for critical authentication, access control, business logic and key flows.
- Security misconfiguration: Review and update the configurations appropriate to all security notes, updates and patches as part of a patch management process.
- Vulnerable and outdated components: Monitor for libraries and components that are unmaintained or do not create security patches for older versions.
- Identity and authentication failures: Wherever possible, implement multifactor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
- Software and data integrity failures: Use digital signatures or similar mechanisms to verify software or data is from the expected source and has not been altered.
- Security logging and monitoring failures: Ensure that logs are generated in a format that log management solutions can easily consume.
- Server-side request forgery: For front ends with dedicated and manageable user groups, use network encryption on independent systems to consider very high protection needs.
"All web application vulnerabilities may be exploited, and the OWASP Top 10 are the most common," Semerau says.
In fact, HHS HC3 in its web application security advisory last month said that the most recent Verizon Data Breach Investigation Report found that web applications were the top attack vector in healthcare.
"These advisories are helpful reminders that healthcare organizations need to continually reevaluate their security postures, both when their technology choices change and when the threat landscape changes," Semerau says.