What was your initial reaction when you first heard of the FBI’s warning last week, the one regarding the cyber security risk of FTP servers in healthcare facilities? Your reaction may have been similar to mine. What’s new is old and what’s old is new. While it’s easy to relegate such warning as a lesson in better managing legacy protocols, the fact remains that a simple protocol such as FTP can pose a significant risk to the healthcare industry.
The FBI’s warning focused on FTP servers configured to allow anonymous access. With some research reporting more than 1 million such servers in use, it’s certainly a lucrative target for hackers. However, what about all the connected medical devices? These include devices such as X-ray machines, IV infusion pumps, and ultrasound machines. Many medical device manufacturers use FTP to remotely connect to these devices for monitoring and maintenance. Clinical engineers typically request that IT change the firewall policies to allow such traffic. Once this happens, the IT personnel lose all visibility of these devices. Essentially operating blind, no IT personnel will attempt to disable FTP access. Aside from the usual ire from the clinical engineers and device manufacturers, IT do not want to be responsible for any malfunction or other unexpected consequences. Can you blame them?
Once the FTP servers are found, the FBI recommends disabling the anonymous access. Well, that’s easier said than done. Once the connected medical devices pass FDA approval, they are rarely patched or upgraded. This is a fundamental challenge that many healthcare organizations face. Whether the cyber security threats arise from the use of legacy protocols or vulnerabilities identified in the OS/apps, healthcare organizations are unable to quickly react to these warnings. For many IT organizations, it’s an unenviable position to be in.
Many healthcare organizations are simply ill prepared to identify and remediate attacks against their connected medical devices. The traditional security measures designed for servers, PCs, laptops and even tablets simply cannot be applied. Organizations need to deploy security solutions that are better suited for IoT and connected medical devices.
You can read the full report of the FBI warning here.