Introduction
We were approached by a UK-based medical organisation and tasked with conducting a straightforward penetration test to determine whether there were any weaknesses within their internal infrastructure.
Like all medical organisations, their data stores contain highly confidential patient, employee and research data, so they must have at least one penetration test annually.
The Problem
Our expert pentesters quickly identified outdated operating systems within their internal infrastructure and alerted the client – a common problem easily remediated – or so we thought.
Our initial remediation advice was that the client should replace their legacy equipment with modern systems that still received OS support. With OS support, the client ensures that their system still receives all the necessary patch updates, keeping it secure. Unfortunately, for legal and financial reasons, this wasn’t an option.
The problem was that the outdated operating system was connected to an MRI machine, which, under UK medical compliance standards and vendor contract demands, is certified as an entire system rather than a standalone unit.
So, if you alter anything, not only do you need to get the system recertified, but if something goes wrong and the vendor has not given you the green light to make changes, the medical organisation is liable for any damages.
Stuck between a rock and a hard place, the client returned to us for a solution. They couldn’t afford to alter the system, but the risks of doing nothing were potentially life-threatening.
Now, we encounter red tape issues like this all the time, so our cyber security experts knew exactly what to do.
The “Non-Perfect” Solution
We advised the client to segregate their system, creating a network segment for that specific MRI machine.
“Segmentation divides a computer network into smaller parts to improve network performance and security,” and by doing this, you can limit traffic flow between the different network segments.
In this instance, the MRI machine needed to communicate with a server outside its network segment, but no network segment could be allowed to send traffic to the MRI machine.
Essentially, we advised the client to build a secure bubble around the vulnerable machine since, for compliance reasons, the client was not able to make changes directly to the machine. It is important to remember that the machine is still vulnerable. All we did was make it harder to access.
Hence, the term “non-perfect.” The machine is still vulnerable, but the risk has been managed through segregation/segmentation.
The Results
Because of this “non-perfect” solution, our clients saved thousands of pounds and ensured that patient, employee, and research data remained secure.
To the best of our knowledge, this particular “vulnerable” MRI machine is still in use today. Thanks to the ability of our CREST-qualified pentesters, the risk was managed, and the crisis was averted.
People often falsely believe cyber security is a binary practice. It is common that organisations, large and small, accept certain levels of risk when faced with no useful alternative.
When faced with a situation like this, our cybersecurity team has to suggest a solution that best enables our clients to manage the risk they’re accepting and reduce vulnerability as much as possible, even if it’s not the optimal solution.
It’s important to note that while this case study centres around vendor and compliance red tape in the UK medical industry, these issues are common worldwide and across almost all sectors.