Home Web app HHS HC3 Warns Healthcare of Risks from IoT Devices and Open Web Applications

HHS HC3 Warns Healthcare of Risks from IoT Devices and Open Web Applications


Advisories recommend entities take preventive and mitigating actions

Marianne Kolbasuk McGee (HealthInfoSec) •
August 5, 2022

Federal authorities are urging healthcare entities to be proactive in managing security risks posed by Internet of Things devices and open web applications.

See also: On demand | What’s Old Is New Again: Protect Yourself Against Check Fraud

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an IoT advisory reminds medical entities of the risks posed by devices equipped with sensors, software and other technologies for connecting and exchanging data on the Internet.

Additionally, a separate note on threats to open web applications highlights the Open Web Application Security Project’s list of top 10 security risks involving these applications.

This filing follows HHS HC3’s release last month of an advisory urging healthcare entities to protect their patient portals and other common web applications from cyberattacks (see: Federal government warns healthcare industry about web app attacks).

IoT Consulting

The HHS HC3, in its IoT advisory, notes that “smart” devices commonly used in healthcare include patient blood pressure and heart rate monitors, blood glucose meters and fitness trackers.

“Any internet-connected device can be hacked, and the Internet of Things is no exception,” writes HC3. “A compromise of these devices could result in devastating damage, including tampering with traffic lights, shutting down home security systems, and harm to human life.”

Potential attacks involving these IoT devices include privilege escalation, man-in-the-middle, eavesdropping, distributed denial of service, brute force, firmware hijacking, as well as physical tampering, according to HHS HC3 .

The advisory recommends that healthcare entities take key steps to reduce the risk of IoT attacks. They include reducing the attack surface on the IoT through network segmentation or dividing a network into multiple subnets to prevent the spread of malware, reduce congestion, and limit outages.

“This way, IoT devices are isolated from other IT equipment in use. Organizations operating without segmentation are at greater risk of being compromised,” says HHS HC3.

Other steps the HHS HC3 recommends healthcare entities take to reduce IoT risk include:

  • Change the router’s default settings.
  • Use strong and unique passwords on each device.
  • Avoid using universal plug and play or UPnP.
  • Keep software and firmware updated.
  • Implement a zero trust model.

According to some experts, the security of IoT devices in healthcare can affect patients’ health and even their lives.

Two of the biggest concerns are unauthorized disclosure of confidential patient data and denial-of-service attacks, says Ryan Semerau, director of cloud security services at privacy and security consultancy Clearwater.

“Inaccurate, missing, or falsified information can lead to misdiagnoses and patient mistreatment or equipment malfunction, which could seriously affect a patient’s health and safety,” he says.

Organizations can face legal liabilities or government fines if they don’t properly address these security issues, he adds.

Web Application Risks

In its threat brief released Thursday on Open Web Application Security, HC3 outlines OWASP’s list of top 10 security risks involving web applications and application programming interfaces, urging entities in the health sector to take action to address these issues.

“The OWASP Top 10 represents a broad consensus on the most critical security risks for web applications,” says HHS H3.

The federal filing details the OWASP Top 10 and offers a variety of mitigation and preventative measures that healthcare entities can take to avoid security compromises involving these risks.

The top 10 OWASP web application risks and examples of the various mitigation measures suggested by HC3 include:

  • Broken Access Controls: Entities can take actions such as having domain models enforce their unique application business limit requirements.
  • Cryptographic failures: Keys should be randomly generated with cryptography and stored in memory as byte arrays.
  • Injection: Source code review is the best way to detect if applications are vulnerable to injections.
  • Insecure design: Use threat modeling for critical authentication, access control, business logic, and key flows.
  • Misconfiguration of security: Review and update appropriate configurations to all security notes, updates, and fixes as part of a patch management process.
  • Vulnerable and obsolete components: Watch for libraries and components that are not maintained or failing to create security patches for older versions.
  • Identity and authentication failures: Whenever possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
  • Software and data integrity failures: Use digital signatures or similar mechanisms to verify that the software or data comes from the expected source and has not been modified.
  • Security logging and monitoring failures: Ensure that logs are generated in a format easily usable by log management solutions.
  • Server-side request forgery: For front-end servers with dedicated and manageable user groups, use network encryption on independent systems to account for very high protection needs.

“All web application vulnerabilities can be exploited, and the OWASP Top 10 are the most common,” says Semerau.

In fact, HHS HC3, in its web application security advisory, said last month that Verizon’s latest data breach investigation report found web applications to be the primary attack vector in the field of health.

“These advisories are helpful reminders that healthcare organizations should continually reassess their security postures, both as their technology choices change and as the threat landscape changes,” Semerau said.