Aging medical imaging devices are among those most vulnerable to security incidents, often due to misconfigurations and a lack of security controls, says Elisa Costante, vice president of research at security firm Forescout.
“Some of this equipment is in the network a long time – 10, 20 or even 30 years -because they represent a big investment,” she says in an interview with Information Security Media Group discussing a recent study examining the security risk levels of various IoT, operational IT and internet of medical things devices in healthcare.
Many legacy digital imaging and communications in medicine – or DICOM – workstations still in use today were designed years ago without security in mind, yet are responsible for transmitting very sensitive patient information, such as medical imaging studies.
In other cases, the devices have security capabilities that are simply not turned on, she says. “DICOM has a functionality that allow the workstations to transmit the data encrypted. But what we observe is that this is almost never enabled,” she says. “Without encryption, the risk of compromise is very high.”
In the interview (see audio link below photo), Costante also discusses:
- Security risks involving other IT and OT devices – including Voice over Internet Protocol systems, HVACs, and lighting gear – used in healthcare settings;
- Steps healthcare entities can take to reduce risks involving connected devices in their environments;
- What medical device vendors and other manufacturers can do to reduce the security risks in their connected products used in healthcare environments.
As vice president of research at Forescout, Costante leads the activities of the company’s Vedere Labs, a team of cybersecurity researchers focused on vulnerability research, threat analysis and threat mitigation. She has more than a decade of experience dealing with the security of IT/OT/IoT convergence. Costante previously was CTO at SecurityMatters, which is now part of Forescout, where she led product innovation activities in the field of network intrusion detection.