HHS HC3 warns IoT device healthcare, risks of open web applications

The guidance recommends entities take steps for prevention and mitigation

Marian Colpasock McGee (HealthInfoSec) •
August 5, 2022


Federal authorities are urging healthcare sector entities to be proactive in addressing security risks posed by IoT devices and open web applications.

See also: on demand | Intolerance: Dominate the landscape where you will meet your opponents

The Department of Health and Human Services’ Health Sector Cyber ​​Security Coordination Center, in an advisory report on the Internet of Things, reminds medical entities of the risks posed by devices equipped with sensors, software, and other technologies to communicate and exchange data over the Internet.
In addition, the separate Threat Brief on Open Web Applications highlights the Open Web Application Security Project’s top 10 list of security risks involving those applications.
This briefing comes on the heels of last month’s release of HHS HC3 advice urging healthcare sector entities to eliminate patient portals and other popular web applications from cyberattacks (see: Feds warn healthcare sector of web app attacks).

Internet of Things Consulting

HHS HC3 notes in its IoT advisory that common “smart” devices used in healthcare include patient blood pressure, heart rate monitors, glucose meters, and fitness trackers.
HC3 wrote: “Any device connected to the internet has the potential to be hacked and the Internet of Things is no exception.” “A compromise of these devices can lead to devastating damages including tampering with traffic lights, shutting down home security systems, and harming human life.”
Potential attacks involving these IoT devices include privilege escalation, man in the middle, eavesdropping, distributed denial of service, brute force, and firmware hijacking, as well as physical tampering, says HHS HC3.
The advisory recommends that healthcare sector entities take decisive steps to reduce the risk of IoT attacks. They include reducing the attack surface on the Internet of Things through network segmentation or dividing the network into multiple subnets to prevent the spread of malware, reduce congestion, and reduce failures.
“This way IoT devices are isolated from other IT equipment in use,” says HHS HC3. “Organizations that operate without partition are at greater risk of being hacked.”

Other steps HHS HC3 recommends that healthcare sector entities take to reduce IoT risks include:

  • Change the default router settings.
  • Use strong, unique passwords on every device.
  • Avoid using Universal Plug and Play, or UPnP.
  • Keep software and firmware updated.
  • Implementation of the zero confidence model.

Some experts say the security of IoT devices in healthcare can affect patients’ health, and even patients’ lives.
Two of the biggest concerns are unauthorized disclosure of confidential patient data and denial of service attacks, says Ryan Semerau, director of cloud security services at privacy and security consultancy Clearwater.
“Inaccurate, missing, or falsified information can lead to misdiagnosis, patient abuse, or equipment malfunction, which can seriously affect patient health and safety,” he says.
He adds that organizations may expose themselves to legal liabilities or government fines if these security concerns are not properly addressed.

Web Applications Risks

In Thursday’s Threat Brief on Open Web Application Security, HC3 identifies OWASP’s top 10 list of security risks involving web applications and APIs, and urges healthcare sector entities to take action to address these issues.
“The OWASP Top 10 represents a broad consensus on the most significant security risks for web applications,” says HHS H3.
The Federal Brief describes OWASP’s Top 10 in detail and presents a variety of mitigation and prevention steps that health care entities can take to avoid the security compromises that involve those risks.
The top 10 risks of OWASP web application, and samples of the various mitigations suggested by HC3, include:

  • Disabled access controls: Entities can take steps such as enforcing unique application business boundary requirements through domain models.
  • Encryption Failed: The keys must be generated randomly using cryptography and stored in memory as byte arrays.
  • Injection: Reviewing the source code is the best way to find out if applications are vulnerable to injection.
  • Unsafe design: Use threat modeling for critical authentication, access control, business logic, and key flows.
  • Security configuration error: Review and update appropriate configurations of all security notes, updates, and patches as part of the patch management process.
  • Weak and outdated components: Monitor libraries and components that are not maintained or that do not create security patches for older versions.
  • Identity and Authentication Failed: Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
  • Software failure and data integration: Use digital signatures or similar mechanisms to verify that software or data is from the expected source and has not been altered.
  • Security logging and failure monitoring: Ensure records are created in a format that your records management solutions can easily consume.
  • Server-side request fraud: For front-ends with custom and manageable user groups, use network encryption on independent systems to take into account very high security needs.

“All web application vulnerabilities may be exploited, and OWASP Top 10 is the most common,” says Semerau.
In fact, HHS HC3 said in its web application security advisory report last month that the latest data breach investigation report from Verizon found that web applications were the largest vector of attack in healthcare.

“These warnings are useful as a reminder that healthcare organizations need to constantly reassess their security postures, as their technology choices change and when the threat landscape changes,” Semerau says.