Blog: Medical Device Security

FUD 101: How not to report healthcare cybersecurity issues

Ken Munro 15 May 2019

I was asked to review a report from Forescout about healthcare security by a journalist, as they were suspicious of the headlines.

Here’s what got my spidey senses tingling:

“The server (SMB) protocol is left open in 85% of connected devices in healthcare organisations, giving bad actors an easy and unprotected entry point into their networks”

This is misleading. SMB being open on something isn’t an entry point into a network. It suggests these are all open to the Internet! It doesn’t state that those 85% have poorly configured SMB, just that they offer SMB. Not outdated SMB (v1) or anonymous login via SMB, just ‘SMB’

There’s nothing particularly wrong with SMB if done properly with well managed permissions. I call FUD!

“The large majority of connected medical devices are patient tracking/identification systems (38%) and infusion pumps (32%) – giving bad actors the ability to manipulate the administration of drugs, with potential lethal outcomes”

This misdirects readers: it implies that all tracking/identification systems and infusion pumps are vulnerable. That’s not the case. Some are vulnerable, but the report gives no useful stats about this. It just creates fear in readers.

Why not provide some useful statistics about systems and pumps with known vulnerabilities? Why not quote some of the awesome work done by others in this space, then assess how many vulnerable pumps are out there, using their agents in an internal-network shodan-style?

“Financially, the average cost of a security breach in healthcare is $7.3 million “

I have no problem with the above statistic. Breach stats are breach stats.

“Legacy Windows operating systems are still a major vulnerability, with 71% of devices running unsupported Windows OS by January 14, 2020”

More misdirection – yes, Window 7 goes end of life in January. But that’s 8 months away. Many healthcare organisations will be in the middle of upgrades, so to call them out now is misleading and scaremongering.

That statistic would be useful and interesting in February next year, but not now! Reading the report, it shows that only 0.4% of devices are running currently unsupported operating systems, e.g. XP.

That’s actually GOOD news

This report is unhelpful, spreading fear, uncertainty and doubt in an effort to gain coverage.

To the report authors I say this: you found some interesting and useful information that had value to the industry, then let your marketing and PR department spoil it in the quest for coverage.

Guess what, the journalist decided not to run the story as they didn’t have time to pick apart the facts from the FUD.