The Current State of Healthcare Endpoint Security
Securing endpoints in the healthcare industry can be challenging. Large hospital systems often have thousands of workstations used by many different employees, in addition to personal and work-issued smartphones and tablets.
These devices access patient data, and send data over different networks to patients and between healthcare systems. Network-connected medical devices also bring another point of entry to a hospital’s environment and patient data.
Keeping these endpoints up-to-date with the latest versions of operating systems, browsers, plugins and more is no simple task for healthcare IT admins. Furthermore, they may use applications with dependencies on software versions commonly targeted by malicious hackers.
It only takes one outdated device for a hacker to exploit a known vulnerability, install malware, steal passwords and/or gain access to an entire healthcare system and databases of patient data.
Healthcare Endpoints vs. Others
Here at Duo, we took a look at our customers in the healthcare industry compared to the rest of our users to gain insight into the current security health of their devices. We found many differences:
- Healthcare customers are logging into twice as many applications as the average user, widening the attack vector
- Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again, putting them at greater risk of vulnerabilities and exploitation
- Healthcare customers choose Internet Explorer 11 as their preferred browser, compared to the latest version of Chrome for other users
- Another 22 percent of healthcare customers browse dangerously on unsupported versions of IE
- It’s a Windows shop at healthcare organizations, at 82 percent. Ten percent of healthcare customers are on Windows 10, another three percent run the unsupported version of the operating system, Windows XP
Larger Attack Vector
We found that the average healthcare customer has around four applications they log into with Duo’s two-factor authentication, compared to our other customers that have 2.5 each.
That means healthcare customers are logging into almost twice as many applications as the average user - meaning healthcare customers have more accounts to target, increasing their chances of a compromise.
Outdated Flash and Java
Not only are they logging into more applications, our dataset also shows that twice as many healthcare endpoints have Flash installed compared to the rest of our users. Many exploit kits leverage Flash vulnerabilities that target outdated versions of the software, making it a popular and easy way to compromise a device, gain access and steal data.
On average, there’s three times as many healthcare customers with Java installed on their devices, at 36 percent. Only 12 percent of non-healthcare users have Java installed. Java is another plugin commonly exploited.
What could account for why healthcare users are running Java? Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java.
Another 33 percent of healthcare customers have both Flash and Java installed on their devices used to log into healthcare networks, making them susceptible to vulnerabilities that affect either.
Internet Explorer vs. Chrome Users
The browser of choice for healthcare prevails as Internet Explorer (IE) 11, at 33 percent, compared to Chrome 48 (the latest version) for all other users, at 28 percent. Unfortunately, 22 percent of healthcare customers browse using outdated versions of IE, including versions 8, 9 and 10, compared to just 6 percent of other users.
This is obviously a security issue, as outdated browsers are another target to exploit. The use of outdated versions of IE is particularly worrisome as Microsoft announced its end of life for versions <10 of IE in January of this year, meaning they will no longer release security updates or patches for the browser.
Windows 10 and Windows XP
While healthcare is overwhelmingly running the Windows operating system (82%), they’re not all running the latest version, Windows 10. Only 10 percent of healthcare customers have adopted Windows 10, compared to 15 percent of other Duo users.
Meanwhile, three percent of healthcare customers run Windows XP as opposed to one percent of all other users. Microsoft announced its end of life for Windows XP two years ago. The security consequences of continuing to run Windows XP after this date is outlined by the company in its announcement:
Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.
Earlier this year, Melbourne Health’s networks were infected with malware after an exploit compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.
The malware, known as Qbot, affects Windows versions XP to 7. It’s capable of stealing passwords, and logging keystrokes. According to ITNews.com, the malware bypassed the health dept.’s enterprise antivirus suite, successfully evading detection (just as Microsoft warned users in its end of life announcement). The infection forced hospital staff to resort to manual offline workarounds, using telephones and fax machines.
Our dataset also revealed that 76 percent of healthcare customers are running Windows 7. With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws of an outdated OS to gain unauthorized access to a healthcare organization’s environment. Mainstream support for Windows 7 ended in mid-January, but Microsoft is still providing extended support and security patches through 2020.
One critical vulnerability allows for elevation of privileges, known as CVE-2014-4113. This flaw allows an attacker to run arbitrary code in kernel mode and install programs, alter data, or create new accounts with full admin rights. Windows 7 and Windows XP are most at risk, as these versions don’t have a new security feature that blocks the exploit code, as in Windows 8 and later versions, according to a Trend Micro blog.
Security Recommendations
How can healthcare organizations protect against the threat of malware and breaches due to outdated software? Duo recommends they employ the following:
- Keep OS, browsers, Flash, Java and other software up to date, and apply patches as soon as they’re available from vendors
- Enable strong access security controls, like strong, unique passwords; two-factor authentication; and access security policies to detect, warn, notify and block outdated devices
- Enable and require a minimum standard of security features on your users’ devices, including encryption, screen lock, passcodes, Touch ID and more
- Encrypt patient data while in transit, and in storage; never transmit patient data over public networks
Can’t keep track of all of your employees’ personal devices? Duo Access offers both endpoint visibility and two-factor authentication to track and block any outdated devices from accessing your environment, in addition to protecting your users and company from stolen passwords and account takeovers.