July 24, 2019 at 02:03 #5088
Ransomware attacks, while a significant danger to both companies and individuals, can also constitute a major threat to medical personnel and their patients. This was found first hand by Paul Pugsley, an emergency medicine resident Maricopa Medical Center in Phoenix, Arizona.
Pugsley was attempting to administer a CT scan to his patient who had suffered a stroke; the scan would have determined whether the stroke was the result of a clot or a bleed, vital information that would determine further treatment: a supposition in this matter can result in the death of the patient. However, when Pugsley examined a screen in the corner of the room, he did not find any results of his test, but was instead confronted with a demand for a Bitcoin payment.
Fortunately for the medical student, the ransomware attack was part of an elaborate simulation designed to prepare the next generation of doctors for the very real possibility of cyber attacks targeting medical installations (in addition, the patient was, in fact, a medical test dummy). Yet the necessity for this training is in itself evidence in support of the findings of Cylane, a cyber security company which found that the healthcare industry is subject to the majority of all ransomware hacks. This is particularly alarming when one considers that the average hospital room has between fifteen and twenty connected devices in operation at any time.
“From a threat perspective, healthcare is often seen as a large, soft target,” said William Peteroy, security CTO at Gigamon. “There are increasing interdependencies between technology and providing quality care, which means that we’re seeing more technology in healthcare than ever before, but we don’t see a strong and consistent focus on information security to go along with that.”
Stephen Cox, chief security architect at SecureAuth, agrees. “The healthcare industry houses some of the most personal and sensitive data one can imagine,” he told Business News Daily. “Having this data be stolen by attackers and leaked to the dark web can be an absolute catastrophe for phishing campaigns. Having a device taken offline due to an incident could delay a patient from receiving a vital treatment.”
The vulnerability of the medical sector came to prominence in 2017 after a massive cyber attack was unleashed against the UK’s National Health Service, which caused catastrophic disruption and forced hospital staff to revert to using pens, paper and their personal phones to continue daily operations. Perhaps most alarming of all was the fact that the ransomware hack was carried out using WannaCry, which a cyber gang known as the Shadow Brokers claimed to have stolen directly from the United States’ National Security Agency, one of the principle intelligence bodies of the US, alongside the CIA and FBI. The group was apparently able to directly hack the NSA by using a tool known as Eternal Blue – proof, if more were needed, that the black market has access to government/military technologies, and the civil sector’s defensive capabilities are more vital than ever.
The following directives are recommended for medical installations:
- Identify and monitor all connected medical devices.
Every single connected medical device should be monitored in real time, allowing security teams to constantly probe for vulnerabilities or anomalous behavior that could signal the device has been compromised. In an environment with hundreds or thousands of connected devices, employing some type of intelligent cybersecurity solution is the only way to effectively manage the network.
“Tracking devices for visibility manually is indeed difficult, especially with a small security team,” says Chris Morales, head of security analytics at Vectra. “When you factor in the time it takes a lean security team to discover a data breach that comprises unknown connected devices, it is apparent the security team needs some level of augmentation of capabilities through intelligent technology.”
- Segment connected medical devices.
Properly segmenting connected medical devices based on vulnerability and risk profile can reduce hackers’ penetration into your network in the event a cyber attack does occur.
“Hospitals can mitigate risks by creating an isolated network for connected devices, which is simple and can be done with VLANs and firewall technology that’s been around for decades,” Peteroy said.
- Ensure software is regularly updated.
Regular software updates are critical to warding off what would otherwise be easily thwarted cyber attacks. The WannaCry attack exploited a vulnerability that was patched in a Windows update released months prior. As a result, the only organizations that were affected by WannaCry were those that had failed to update their software. Every connected medical device should be subject to regular software patching and firmware updates, prioritized by individual risk profile. This makes the device less ripe for exploitation.
- Establish a cybersecurity framework and incident response plan.
Finally, while software solutions and regular updates are a great way to reduce the chances of a cyberattack, a smart security team knows it is a matter of time before their defenses are probed by a malicious actor. It’s crucial for a comprehensive cybersecurity plan to include an incident response procedure that can be deployed at a moment’s notice and includes all the major stakeholders across all departments within the organization.
Hospitals are vulnerable targets because of the value of their information and the sheer scale of their networks. However, leveraging connected medical devices and the many benefits they offer doesn’t mean hospitals must fall victim to hackers and their cyber attacks. By implementing an intelligent cyber security solution that can identify and monitor all connected devices in real time, properly segmenting those devices, running regular software updates, and preparing a comprehensive incident response plan, security teams can be as prepared as possible to face ever-evolving cyber security threats.July 30, 2019 at 12:16 #5180
Really informative article. Especially I agree with the last part about the necessity of the cybersecurity framework implementation in the healthcare industry. Nowadays healthcare organizations have to prove that devices, technologies, and methods they adopted bring no risks to clients. And I think compiling their security with recognized frameworks and standards is a great idea. There is a really useful guide about the security healthcare frameworks that explains how to succesfully apply them in the healthcare sector: https://www.cleveroad.com/blog/healthcare-cybersecurity-frameworkJuly 30, 2019 at 16:03 #5182
It’s been featured on our medium: https://medium.com/@cybersecurecentral/vulnerabilities-of-the-medical-sector-from-our-forums-53cc53841e34October 28, 2019 at 02:11 #5741
Dear Lord, look at what the world has come to. It seems like there isn’t a single sector that cannot be affected by cyber crime and hacking. The arts, business, engineering, medicine, law, politics, the military. Soon enough, there’ll be people hacking into our toilets as we’re squatting on them and flushing at will to scare the shit out of us, literally!October 28, 2019 at 02:18 #5743
Haha come on. It is clear that the medical sector’s advancements have only benefitted us, as is clear with the statistics. People have a longer average life span today than at any other time in history, which is good in some cases, annoying in regards to those less desired by the human population. Yet, in all seriousness, one has to keep in mind that with every human advancement and achievement, there tend to be downsides. In this case, having the medical field infused with so much tech has benefited and endangered it all at once. It comes with the territory. Hence why cyber security and caution are more necessary today than ever.October 28, 2019 at 15:03 #5746October 28, 2019 at 15:05 #5748
That is what a ‘smart toilet’ looks like when it is hackedNovember 1, 2019 at 16:55 #5781
A great guide about how to secure healthcare technology that I believe all medical practitioners must adhere to and follow well if they are to avoid really undesirable scenarios. Cyber crime that involves financial theft is difficult, yet bearable. Whereas when that crime extends to tampering with people’s lives and perhaps causing an untimely death, it becomes another issue entirely. This is not an issue to be taken lightly at all.