Healthcare facilities, specifically hospitals, often perform critical, life-saving operations. Technology has developed in a way that it now assists in these operations. And the introduction of the Internet of Medical Things (IoMT Security) has proven to be mission-critical. However, the reliance on a Wi-Fi connection has left the healthcare industry extremely vulnerable to Evil Twin attacks and Rogue Access Points – A rogue access point is an access installed on a network, posing as a legitimate access point, without the owner’s consent. What’s even more concerning is that such attacks frequently go undetected, posing a significant threat to patient data privacy and the overall integrity of medical operations.
Evil Twin and Rogue Access Points
In an Evil Twin attack, a malicious actor creates rogue access points (AP). That impersonate a legitimate access point (AP) by perfectly spoofing its SSID and BSSID (MAC address). To have users connect to it, the rogue access point will either send stronger signals than the legitimate AP. Or shut down the legitimate AP and replace it. Unknowingly connected to the rogue AP, the user’s traffic is now exposed to the adversary. This allows further malicious activity. A perpetrator can perform interception, traffic manipulation and Man in the Middle Attack (MITM Attack) to hijack the session and access sensitive information. Evil Twin attacks might even provide the perpetrator with complete control over the entire network. Healthcare entities are an extremely appealing target due to the data collected. Healthcare information is highly sought after on the dark web. It brings large financial rewards to the seller.
Vulnerabilities Allow Evil Twin Attacks
In the case of healthcare delivery organizations (HDOs), Rogue Access Points can serve as a key tool in executing Evil Twin attacks. Evil Twin attacks involve the creation of a fake wireless network that closely resembles a legitimate network, such as a hospital’s Wi-Fi. Unsuspecting users then connect to this malicious network, believing it to be the genuine one. Once connected, attackers can intercept sensitive data, such as patient information, medical records, and other confidential data transmitted over the network.
The increasing reliance of healthcare organizations on technology further exacerbates the risk posed by Rogue Access Points. With the proliferation of connected medical devices, electronic health records, and telemedicine platforms, there are more entry points for attackers to exploit. Additionally, the vast amount of sensitive data stored and transmitted within the healthcare sector presents an enticing target for malicious actors.
Healthcare Facilities Require a Complex Wi-Fi Infrastructure
Research by Zingbox found that there is an average of 10-15 connected medical devices per hospital bed (82% of healthcare organizations have experienced an IoT-focused cyberattack, survey finds). The importance of internet-connected devices within the healthcare industry has meant that wireless networks are a fundamental component of the healthcare industry. According to Aruba Networks Product Marketing Manager Rick Reid, “In a healthcare setting, the network has to be extremely reliable because it’s literally life or death… Once a hospital moves to that critical communication method you have to make sure it works in the stairwell and it works in the hallways. You can’t have any dead spots.” This heavy reliance calls for a very complex, interconnected Wi-Fi infrastructure to ensure access is available everywhere.
However, HDOs tend to be expansive facilities, so ensuring coverage over the entire area can be a challenge. Gaps in coverage provide space for rogue access points, configured with the same SSID and BSSID as the legitimate AP. Appearing genuine, users and devices will not hesitate to connect to the rogue AP since it is sending stronger signals.
Public Facilities are Vulnerable to Rogue Access Points
An Evil Twin attack involves the creation of rogue access points, which are unauthorized wireless access points designed to mimic legitimate ones. To successfully execute an Evil Twin attack, the rogue access point needs to be in relatively close proximity to the target network. So that the rogue AP gets detected. HDOs are open to all members of the public, meaning the perpetrator can easily achieve this. Importantly, gaining control over the network is simpler when the network is public. As is the case in many HDOs’ infrastructure. Even with a password restriction, the relevant credentials are typically openly displayed to enable easy access for patients and visitors.
The Healthcare Industry Lacks Cybersecurity
As an industry that performs life-saving operations, patient safety is the priority for HDOs. Not only does this mean cybersecurity is an afterthought, but it is sometimes even considered a hindrance to operations. Which increases the risk of cyber security threats in healthcare facilities. It is, therefore, no surprise that the healthcare industry lacks good cyber hygiene practices. Foremost, connecting to an AP will be done without a second thought due to employee negligence. As rogue access points perfectly spoof the legitimate AP, it is almost impossible for staff members to detect the illegitimacy of rogue access points. Moreover, research by Forescout found that security measures such as encryption and network segmentation are insufficient in hospitals. With many IoTs connected to the same network as critical IoMTs (Connected Medical Device Security). Without these healthcare IoT security measures, an Evil Twin attack can cause substantial damage.
Sepio’s HAC-1 Hardware Access Control solution offers a robust defense against the threat of Rogue Access Points and the associated Evil Twin attacks. By constantly monitoring and analyzing all wireless communication in real-time through Machine Learning, HAC-1 identifies all devices operating within the enterprise’s environment. Including MAC-spoofed devices which otherwise go undetected. HAC-1’s policy enforcement mechanism allows the solution to instantly detect suspicious connections and trigger a mitigation process through integrated Network Access Control products.