How to prevent
man-in-the-middle
attacks in healthcare

It is important to absorb and understand the damage man-in-the-middle attacks (MiMAs) can have on medical networks. It's vital to recognize how this threat is part of the broader healthcare cyber security ecosystem and understand how to prevent man-in-the-middle attacks before they cause damage.

The first step in knowing how to prevent man-in-the-middle attacks is for healthcare teams to understand how the attacks work and what makes a system vulnerable to them.

Man-in-the-middle attacks occur when the threat actor slips in the conversation between a user and an application or a device-to-device communication. Here, they'll either eavesdrop to gain information or impersonate one side of the conversation. From this vantage point, the threat actor is able to hijack sensitive information and take control of the transmitted data. A man-in-the-middle attack in healthcare could result in theft of, for example, opioid prescriptions, or could even lead to the manipulation of pacemakers and other medical devices. This is why-man-in-the-middle prevention is a high priority for security teams.

Man-in-the-middle attacks usually have two parts: interception and decryption. Interception is how they get into the system; unsecured Wi-Fi is a possible route, as is DNS manipulation or credential theft. Threat actors will also take advantage of weak passwords. Once inside, threat actors capture transmitted data and begin decrypting the compromised information.

One reason the healthcare industry is particularly susceptible to man-in-the-middle attacks is the growing use of IoT devices for patient care. IoT is helping to improve healthcare delivery in several ways, from electronic health and telesurgery to mobile health and remote patient monitoring.

The average hospital uses thousands of network-connected devices—about 17 per hospital bed. The global IoT healthcare market is estimated to increase at a compound annual growth rate of 25.9% and reach $190 billion by 2028, up from $73.5 billion in 2021. IoT devices can be more vulnerable to man-in-the-middle attacks because they may not have the full range of mitigation techniques, such as encryption protocols. One survey of medical IoT devices found 15%-19% of the devices were running on Windows 7 or older, leaving them at least a decade behind today's security standards.

Man-in-the-middle attacks are also gaining increasing attention because of a shift in cyberattacks within the healthcare industry. According to the recent Data Breach Investigations Report (DBIR), external threat actors are now responsible for most of the industry's cyber incidents—a shift from years past. Personal data was compromised more than medical data. Why? As the DBIR posits, privacy controls around medical data are more difficult to breach, and personal data may be easy pickings. No matter what, man-in-the-middle prevention is necessary to protect all data.

Man-in-the-middle attack mitigation is difficult because this type of cyber attack is stealthy. Threat actors can slip in and out of a network without a trail. Man-in-the-middle prevention is centered on keeping the threat actor from gaining access to your network in the first place. That's accomplished with a combination of security tools, human behavior modifications, and partnering with a security provider who offers a holistic approach to protecting devices, networks and data.

When looking at how to prevent man-in-the-middle attacks, the best security tools are often the most basic tools in your cybersecurity system. They include:

• Firewalls and VPNs
• SSL and security certificates
• Multi-factor authentication to control access
• Deploying endpoint security to protect IoT devices directly
• Employing hard-line connections for sensitive devices to critical networks

Hospitals and other healthcare locations may offer public Wi-Fi. This should be kept separate from internal networks that should use a strong wired equivalent privacy (WEP) / Wi-Fi protected access (WAP). WEP/WAP encryption mechanism can help prevent unwanted users from joining your network. A weak encryption mechanism could allow an attacker to brute-force their way into the network or use a MiMA to access your browser. 

If you want to properly educate your organization on how to prevent man-in-the-middle attacks, you need to factor the human aspect. Verizon's 2022 Mobile Security Index (MSI) found that nearly half of all compromises were due to human behavior. Security awareness training designed for man-in-the-middle attack prevention should include:

• Why public and open Wi-Fi systems are risky and how to avoid using them
• How to spot fake websites
• Why to only use secure websites (HTTPS)
• Learning to identify and avoid phishing scams

That said, education by itself is not sufficient—there are also policy measures that can be implemented. The MSI found that 8% of organizations admitted to not using a VPN when using public Wi-Fi and that nearly half (46%) of VPN clients are misconfigured or out of date. Additionally, less than a third of organizations (32%) ban the use of public Wi-Fi, and only about half (52%) of those actually do anything to enforce that policy.

One estimate cited in the MSI suggests that 1% of employee devices encounter a high-risk Wi-Fi hotspot each week. You may also want to reconsider your policy on bring your own devices (BYOD) vs. corporate liable devices.

The healthcare industry and its employees have been under considerable strain while responding to the pandemic, and some employees may have advocated for security policies to be relaxed to make things easier. According to the MSI, one-third of organizations had relaxed authentication requirements to cope with COVID-19 restrictions. Yet, given the grave consequences of an attack, it is important that security measures are retained despite these pressures.