The medical industry is especially vulnerable to attacks stemming from workstations on wheels. In this post, we will lay out the problems they introduce and tell you how to address them.
Healthcare facilities are busy places, and it’s critical their staff have the freedom to move around throughout their day while still remaining connected to the applications they depend on.The industry’s response to this need is deceptively simple: just make their workstations accessible wherever they go. This is the concept behind the workstation on wheels (WOW), a free-standing cart that generally provides a work surface, a means to physically secure a monitor and PC in place, and network connectivity — a simple and effective solution.
Defining the Problem
Whether you know them as computers on wheels (CoWs), medical carts, mobile workstations, or computer carts, WOWs have become a ubiquitous presence in modern medical environments. This mobility is essential for workers to perform duties like accessing patient records, entering new data, staying in communication with other staff, and logging their activity, all of which would be much more labor-intensive processes without easy access to a workstation. WOWs can easily be deployed wherever they are needed most and then quickly redeployed in another location as needed.
WOWs are so commonplace that you might not even think about them as a possible target for cyber attacks. However, their versatility, the very trait that makes them so useful, also makes them a huge cybersecurity risk. Since WOWs are used by multiple individuals, often left unattended, and portable, they provide easy physical entry points for bad actors. Just a brief window is all a patient, visitor, contractor, or anyone else in the building would need to infect a WOW with malware. All they would need to do is find an unattended cart, pop in a USB stick, install a keylogger, or visit a malicious domain, and suddenly you have a cybersecurity nightmare on your hands — one that completely bypassed your perimeter defenses. This compromised machine could be used as a launch point for any number of attacks, including ransomware, disruptions to services, and data exfiltration.
In fact, instead of “workstations on wheels,” WOWs would more accurately be described as “wide-open workstations,” since they present such easily exploitable targets. Unfortunately, we have run into far too many examples of other types of wide-open workstations, not only in the healthcare field, but in nearly every industry we have worked in. For the purposes of this blog, the “wide-open workstation” we will mostly focus on is the traditional WOW cart, though we will touch on others as well.
While employees at most businesses spend almost all of their time logged into a single workstation used by them and them alone, workers in the medical field are often moving from room to room, using WOWs to get network access wherever they are. This means multiple employees will be constantly logging in and out of the WOWs over the course of the day, leaving gaps of time during which workstations are left unattended. Additionally, WOWs that are not in current use, but aren’t stored securely can also be easily exploited. Finally, their mobile nature means that WOWs can be moved into isolated places where improper usage can be carried out in secret.
In addition to their mobility, another appealing feature of WOWs is that they can be accessed by multiple users, a convenience that accommodates shift changes, broken hardware, the need for interchangeability, etc. However, this feature also introduces risks of its own. If a staff member forgets to log out after using the WOW, the machine is wide open for anyone to use (at least until they’re timed out). This allows visitors or other staff members to access restricted websites or otherwise use the workstation improperly while masking themselves under the previous user’s account. Or, if the previous user had higher access privileges, the subsequent user could use this opportunity to write fraudulent prescriptions, access confidential patient records, or any number of other inappropriate activities.
Other Open Workstations
If we look at it from a probability perspective, simply having so many users with rights to so many accessible machines makes it much more likely that one will eventually be compromised. If a bad actor is able to obtain login information for one user — perhaps via a phishing attack or social engineering scam — they can login at any workstation at any time, providing another launchpad for attacks, data exfiltration, or other illegal actions.
But even if nothing as nefarious as a targeted attack is going on, WOWs can still be used in a way that violates their organization’s policies and controls. For example, while monitoring the network traffic at a well-known medical institution, HYAS discovered that several of their employees had been accessing adult content from WOWs. Not only was this a breach of policy, it also exposed the organization to undue risk, as adult websites are often used as vectors for attacks. Similarly, we have uncovered instances of employees using unauthorized VPNs, potentially exposing all of their traffic to nefarious third parties. You can have all the rules you want, but if you have no way to make sure they’re being followed, you might as well have none at all.
These same risks extend beyond carts equipped with computers. Healthcare environments are full of other examples of wide-open workstations. Access points in examination rooms are often left unattended with patients still in the room. Nurse’s stations could be a vector if there are windows when they are unstaffed or if a distraction draws away their attendants’ attention. Security teams also have to reckon with the fact that In the modern workplace, employees carry around mini workstations all day long in their pockets. Smartphones (or tablets) are easy to temporarily misplace or lose entirely, giving bad actors an entry point to the network. While only a decade ago, administrators might have had hundreds of devices on their networks, today they have to contend with thousands. The amount of connected devices used by the healthcare industry (along with every other industry) has exploded in recent years, and unfortunately, in this early phase of the IoT revolution, security is often an afterthought for those designing these products, so each device presents its own unique set of vulnerabilities. And these are just a few examples of wide-open workstations that can be exploited by bad actors.
Unfortunately, all of the vulnerabilities we have discussed so far take advantage of a bad actor having physical access to the WOW at some point, thereby bypassing the outward-facing defenses of your cybersecurity strategy. So what can you do to protect yourself? The only way to take a proactive stance against these threats is by enhancing your resiliency through visibility.
|“Did you know that at least 93 percent of malware attacks utilize DNS communication at some point during their lifespan?”|
A successful attack on a healthcare target is incredibly costly and disruptive, and many organizations just aren’t equipped to deal with one. In fact, organizations in the healthcare sector have the highest ransomware payout rate of any industry — a testament to how damaging these attacks can be.
Did you know that at least 93 percent of malware attacks utilize DNS communication at some point during their lifespan? That’s why it's so important to have a DNS monitoring solution in place to detect threats in real time, giving you and your team the opportunity to proactively respond to the situation before it does any damage. Because of our superior threat intelligence and deep understanding of adversary infrastructure, HYAS’s solutions are accurate and reliable. They are also simple to integrate into your existing security architecture, adding an extra layer of security without disrupting your operations.
It’s benefits like these that HYAS’s domain-based solutions are trusted by three of the Fortune Five companies, international law enforcement agencies, and the Department of Homeland Security.
Even if you have already been hit, it’s not too late to take advantage of the benefits of enhanced visibility into your environment. Utilizing DNS monitoring during the post-attack period, you can make sure that none of your machines are still secretly harboring pieces of malicious code that were missed during the clean-up phase of incident response. It can also be used going forward to ensure company regulations or controls are being followed, reducing your overall risk.
It’s clear that the vulnerabilities inherent to WOWs in a medical environment present a clear danger. However, these “wide-open workstations” and their associated vulnerabilities are not isolated to the medical field. Mobile workstations are used across many industries, including film and television, construction, mining, automobile repair, and manufacturing. Even though these industries are vastly different from healthcare, they all face the same challenges introduced by WOWs — only the setting changes.
HYAS is committed to helping you find and address your own WOWs to stay a step ahead of your adversaries. We know WOWs exist in every vertical, because we’ve found them. That’s why we want to hear about the worst “wide-open workstation” nightmare you have seen during your career.
Share your juiciest story by following the link below, and the best submissions will be entered into a drawing to win four USDA Prime 24 oz steaks from Peter Luger Steak House in New York!