Personnel at hospitals and other healthcare facilities already know they need to be extremely vigilant about a wide range of safety considerations. With mounting frequency, cybersecurity is asserting itself as an especially critical area that needs attention. Unfortunately, that cybersecurity is simultaneously one of the facets of healthcare facility operations that is often overlooked.
Part of the challenge is that hackers have realized there are more avenues into a healthcare organization’s system than is the case with other businesses. There are a whole slew of medical devices that could provide an access point.
“There are a variety of reasons cybercriminals may target medical devices,” says Craig Young, computer security researcher on the Vulnerability and Exposures Research Team (VERT) at software security company Tripwire. “Embedded devices like the ones used in the medical field are notorious for falling behind on operating system patches. These devices often require the manufacturer to test and package patches before they can go out to customers.”
Potentially vulnerable equipment is practically everywhere in healthcare facilities, often in numbers that exceed what any one team member might guess.
Many of the systems that have some level of computerized control have a PC component in the room with them, which means they are running with an operating system, just like a laptop. If there are around a dozen connected medical devices with every bed in a hospital and thousands of beds in the largest the hospital chains, the sheer scope of the danger is staggering.
“That’s a huge landscape for a security team, which is typically quite small, to try and solve,” says Terry Ray, CTO of data security company Imperva.
Ray adds that the healthcare field is uniquely overburdened by risk mitigation concerns. Other organizations might be anxious about losing proprietary information, but they’re not necessarily sweating HIPAA laws. Thus far, Ray says he hasn’t seen data thieves threatening to release stolen medical records, but, in a sense, it doesn’t matter all that much whether the pilfered material gets out. Any breach of a system does damage.
“Technically, if a hospital has proof of them losing records, whether or not those records are released to the public, they still have to notify that those records were lost,” notes Ray.
Of course, there’s a potential outcome that’s even more dire.
“If medical systems go offline, patients can die,” says Young. “This presents a predicament for security professionals looking to lock down medical environments without impacting uptime for critical systems.”
And the malicious mischief hackers might engage in isn’t limited to shutting down critical equipment.
“A subtle attacker could simply corrupt elements of medical records to change things like drug allergies, blood type, and medical history,” Young cautions. “This would not be immediately obvious to the provider and could result in wasted time, confusion, and even loss of life.”
Cybercriminal awareness over the leverage they have in wresting control of systems contributes to a shift in their methodology, or at least the endgame. When outside attacks on computer networks initially became a threat, the interlopers seemed to have little more than digital destruction in mind. They’d craft computer viruses that would indiscriminately wipe out data. Now, the bad guys are more often looking for an illicit payday.
Ray notes that the recent WannaCry ransomware attack — which crippled many healthcare facilities in the U.K. and elsewhere — illustrates exactly how cybercriminals are shifting the terrain. The ransomware infiltrated and spread in a manner similar to an old-school computer virus, but it didn’t wipe out the data. It simply held it hostage, with the promise it would be released following a hefty payment in bitcoin, the anonymous and untraceable online currency.
“They didn’t ask for any extortion back in the day,” says Ray. “That’s the real difference between today and back then.”
There is plenty to fret about, but it’s more important to move towards solutions that keep medical data safe. Ray and Young agree that the first step entails conducting a thorough audit of equipment that could fall prey to cyber-attack.
“Asset inventory is a fundamental first step toward locking down a healthcare facility network,” says Young. “This means tracking the software running on desktops and servers as well as embedded devices. Providers should be aware of what OS is installed and have plans in place for identifying and deploying updates.”
It’s especially important to give scrutiny to the more incidental devices that are easily forgotten about. Even if these pieces of equipment are connected to the internet — sometimes through a separate but associated device — they’re so small or limited in the software that it’s difficult to install cybersecurity components on them.
“This is a problem that has not truly yet been addressed,” says Ray. “And it’s going to be a big problem as we continue to move forward because these devices are widely open.”
From there, the next step is determining which devices are the responsibility of the end user to update and which are not equipped with a clear pathway to keeping the security tools in proper working order to repel ever-adapting threats. The latter are especially important to identify since there’s some additional research and outreach to manufacturers that will need to take place before the space is secure.
The healthcare community is beginning to develop a smart, strategic response to the risks, but Ray says the FDA needs to push manufacturers to take on some of the burden, too.
“The hospitals get, it but the hospitals are like every other organization and industry out there — they’re constrained on costs,” Ray notes. “The cybersecurity team is always a cost center, not a revenue center. So they’re typically a small team of people in hospitals, and they can only do so much. The manufacturers, I think, are going to have to step up and start to show how they’re providing the cybersecurity on their devices, and how do they maintain that over three, four, five years through the life of that product.”