What the JekyllBot:5 Vulnerabilities Tell Us About Healthcare IoT Security
Aethon TUG autonomous robots are used to carry out simple healthcare errands at hundreds of hospitals. They transport medicine, clean floors, collect meal trays and linens, and perform many other activities that form part of a hospital’s daily routine. Their self-directed efficiency has helped the robots to grow in popularity as a way of streamlining time-consuming manual tasks and freeing up staff for more productive duties.
Using radio waves, sensors, cameras and other cutting-edge technology, the robots can do their work without human intervention and avoid crashing or bumping into people and objects. They can even control and travel on elevators by themselves!
No, you are not reading Isaac Asimov. Aethon TUG robots are just one of the thousands of devices leveraging smart, internet-connected technology to make care more efficient and ultimately lead to better patient care. Unfortunately, the same thing that makes these robots so productive is what makes them so risky when vulnerabilities like JekyllBot:5 are found.
The Cynerio Research team discovered the collection of vulnerabilities that make up JekyllBot:5 late last year when deploying our healthcare IoT security solution in a customer environment. The five vulnerabilities roughly fall into two main categories:
- Vulnerabilities that permit unauthorized access to the online web management console of the robots through open HTTP ports, which allow all security on the devices to be bypassed and enable their remote control by potential attackers. One of these vulnerabilities received a 9.8 CVSS score due to its criticality.
- Vulnerabilities that facilitate malware injection attacks resulting in unauthorized access to the computers of staff managing the robots.
With the potential for remote control of the robot fleets and takeover of the devices managing those devices enabled by JekyllBot:5, any number of terrible outcomes could have happened had attackers found and exploited these vulnerabilities before Cynerio discovered them and alerted the manufacturer to patch them:
- The disruption or obstruction of the robots' timely delivery of patient medications and lab samples essential for optimal patient care
- Attacker access to robot camera feeds and photos in real time, with potential compromises of patient privacy and data
- Unwelcome physical interactions between robots and hospital staff, patients, visitors and property
- Attackers using the connections the robots leverage to open door locks and take elevators to shut those systems down during medical procedures
- Programming the robots to use abusive language and harass patients and hospital personnel
- Giving attackers an access point to laterally move through hospital networks, perform reconnaissance, and eventually carry out ransomware attacks, breaches, and other threats
The Risk and Reward of Healthcare IoT
Healthcare IoT devices are all over hospitals these days. Over 10 billion IoT devices are already in use at hospitals and other healthcare facilities, and that number is expected to QUINTUPLE over the next decade. Healthcare IoT has been adopted in large part because it is helping hospitals to drive better patient outcomes through more efficient and effective care. This has become even more important in the wake of the obligatory digital transformation during the pandemic that drove more remote work and telehealth. Unfortunately, in the rush to make sure everyone could do their jobs and attend doctor’s visits from home, IT security controls were not always top of mind.
The same “functionality is primary” approach creates complexity when it comes to healthcare IoT security too. IoT devices, including medical devices (IoMT – Internet of Medical Things), often can’t be agented by traditional IT security tools like Endpoint Detection and Response (EDR) solutions. A lot of medical devices reach their end of life many years before it is expected that hospitals will buy a new one, which means there is no patch available for them in the event of a security vulnerability being discovered. Hospitals are focused on making sure patients get the best possible care, so devices are bought and connected to the network without much visibility into the potential risks or attacks these devices may be exposed to. In many cases, hospitals simply can’t count how many IoT devices are currently on their network, let alone know what vulnerabilities those devices have or how to remediate their risks in a timely fashion.
As hospitals continue to increase their investments in IoT and IoMT, attacks will continue to evolve to take advantage of the weakest security link in hospital environments. In many cases, it will be the IoT devices that can’t be secured through legacy IT security approaches. This dynamic is already playing out in the wild – a recent Ponemon Institute study found that healthcare IoT devices are just as likely to be the origin of a ransomware attack as phishing. Cynerio’s own recent research found that over half of the typical IoT devices in any given hospital have a critical risk that, if exploited by an attacker, would have a destructive impact on patient care, data confidentiality or service availability.
Statistics like those should be a wake-up call to hospitals that IoT security is an Achilles’ Heel enabling an ever-increasing volume of ransomware and breaches. And yet – a survey of the healthcare IoT marketplace shows that solution providers are mostly focused on inventory issues, such as whether devices are being utilized as often as they could be; risk reduction and attack mitigation are not the focus. But this is exactly backwards – counting devices and viewing their usage efficiency stats doesn’t reduce their risk or protect against an attack. You can’t secure what you can’t remediate. Healthcare IoT greatly expanded a hospital’s attack surface, and those institutions need tools to help fight back, not to merely get an introductory lay of the land on what their attack surface now looks like.
To put it bluntly, cybersecurity has failed healthcare. We promised security in exchange for our services, and the growing amount of ransomware and breaches, despite all the solutions already deployed to stop those attacks, is an indictment of our industry and a record of our broken promises that is too noticeable to ignore. We need to do better, and the first step is admitting that what has been done up to now hasn’t worked. The next step after that is to do something that WILL work. When it comes to healthcare IoT security, inventory is a commodity that we can see is not preventing attacks or reducing risk by itself. So, what SHOULD be done?
At a bare minimum, to stop the ransomware attacks that routinely shut down healthcare IoT devices and allow the data on them to be stolen, healthcare IoT security needs to provide the following protection measures beyond inventory to successfully armor these devices against the threats targeting them:
- The location and flagging of every device with known risks and vulnerabilities such as JekyllBot:5
- Step-by-step instructional mitigation plans should be provided for each device affected by a vulnerability, including access to advisories and patches from device manufacturers and “virtual patching” options for end-of-life or otherwise unpatchable devices.
- The implementation of a Zero Trust security framework to limit the attack surface and silo healthcare IoT devices from the rest of the network so that they can’t be used as an unauthorized entry or access point. However, hospitals are very different from any other IoT environment, and this separation of healthcare IoT devices must be carried out in a way that doesn’t affect their functionality or the care of the patients that receive from them.
We here at Cynerio want to do our part to get healthcare cybersecurity on the right track, which is why we are disclosing vulnerabilities like JekyllBot:5 and offering our Active Attack Detection solution. We have seen enough hospital environments where no healthcare IoT security has been deployed yet to know that when Cynerio can analyze the IoT and IoMT devices, there are always critical threat and risk issues that rise to the surface. Let’s work together to shine a light on the healthcare IoT security gaps that need fixing and start flattening the curve on hospital cyberattack volume.