Nefarious hackers infiltrating a pacemaker sounds like a plot right out of a sci-fi thriller, but it’s become an all-too-possible scenario. And cyber infiltration of hospital system information is beyond possible — such breaches have become almost common.
Since 2009, more than 155 million Americans have had their medical information exposed without their permission, according to a recent report from the nonprofit public policy organization Brookings Institution.
Cybersecurity experts are also noticing a growing trend of ransomware attacks and hacked medical devices, which makes it clear that medical centers have become prime targets for cybercriminals.
How did this happen? Experts say it is partly because health care has been slow to institute security measures typically seen in other industries.
Dr. Eugene Vasserman, Director of Kansas State University’s Center for Information and Systems Assurance and associate professor and Keystone Research Scholar in the university’s Department of Computer Science, says health care systems may be subject to infiltration if their computers are running on old, unsupported systems designed to be safe but containing vulnerable software.
“Several of the devices used in health care settings are engineered to be safe, but not secure, making patients and health workers more vulnerable to attack,” said Vasserman. “We often confuse safety with security, but they are different, since we not only want to ensure the safety of the software, but also security from potential attacks, since a successful attack can rewrite the software, making it unsafe.”
Your personal health information is worth thousands
Like pirates in search of gold, hackers are stepping up their tactics and finding new ways to collect personal identification.
Credit card and bank information is stolen daily to be sold online. However, breaching the health care industry is like hitting the jackpot, since health records contain valuable information, including Social Security numbers, home addresses and patient health histories.
Dr. Michael Nowatkowski, associate professor of Information Security at Augusta University, says the black market pays big bucks for sensitive medical information, which is a prime reason cybercriminals are willing to put in the effort to break in.
“Fraudulent activity with credit cards can be picked up fairly quickly, but it can be years before a medical fraud scheme is detected,” said Nowatkowski.
Hackers are clever in their methods of stealing protected health information and use tools such as phishing and spoofing to trick the health care provider into believing their access is legitimate.
As patients become more involved in their health care management, another cyber threat can be linked to hospitals setting up web portals for patients to quickly access their data online. Augusta University Health’s Chief Information Security Officer Walter Ray says many of these sites are only as secure as the passwords being used to access them. Some patients are not aware of the risks associated with mishandling their passwords to these sites.
“Patient health information is so personal. A disclosure of a person’s medical history can feel like an assault on one’s sense of control,” said Ray. “Issues like mental illness, substance abuse and sexually transmitted infections are examples of very sensitive topics that can be contained in a person’s medical records.
“Patients have the right to keep their records private. However, with our highly interconnected world there are many entry points to access medical records for would-be hackers, making it difficult for organizations to close all of the holes.” Ray continued. “Hackers are constantly seeking ways of monetizing their skills and abilities. Extortion and ransom are two methods they have used. Ransomware could impact a hospital’s ability to operate efficiently or, even worse, directly impact a patient’s health.”
While researchers work to develop more global and preemptive solutions, Ray says hospital security professionals are conducting cyber ground combat every day.
“Medical centers have to be proactive in reviewing their computer systems as they search for vulnerabilities that could impact patient care or privacy,” said Ray. “Hospitals should move away from using legacy technology, invest in backup software, train their IT professionals in cybersecurity best practices, and invest in improved security technologies.”
Pay up or else
Last year, a global attack by ransomware WannaCry paralyzed 65 hospitals in the United Kingdom and affected computer-based equipment, such as MRI scanners. Cybersecurity experts also uncovered ransomware known as Petya, which affected hospital computers around the world, including the United States.
Smaller attacks can be quickly lucrative to the perpetrators. In January, IT systems at Hancock Health, based in Greenfield, Indiana, were attacked, impeding hospital operations. Within two days, the hospital paid $55,000 in bitcoins to avoid having its files permanently encrypted and inaccessible and to ensure no risk to patient safety.
These health organizations fell prey to ransomware, a type of malware that prevents or limits users from accessing their system unless a ransom is paid. Hackers typically view medical centers as the perfect target since they house up-to-date information on health records, and patient care is driven by quick access to drug histories and other directives. Hospitals can become victims of these schemes in various ways, such as clicking a malicious link in an email or by malware delivered through a web browser.
Ransomware attacks are usually random, and cybercriminals use them because the strategy works. In 2014, Dell reviewed data from the ransomware CryptoWall and discovered it had collected over $1 million in six months.
“Ransomware attacks work and put important devices out of commission,” Vasserman said. “The cost of the attack doesn’t compare to the feeling of putting your patients at risk, which is why ransomware is so frustrating for the organization and victims.”
As ransomware attacks against health care organizations increase, experts encourage hospitals to invest in qualified cybersecurity personnel and to counteract these attacks using security measures such as backup systems.
The attack on medical devices
The thought of someone hacking into a medical device implanted into your body is scary. Unfortunately, these cases are on the rise and forcing medical device companies to review their products.
St. Jude Medical and parent company Abbott Laboratories faced lawsuits due to vulnerabilities in some of the company’s defibrillators, and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the U.S. Department of Homeland Security, last year issued warnings about cybersecurity vulnerabilities in syringe infusion pumps manufactured by Smiths Medical.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump,” the 2017 ICS-CERT report stated. “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
Unfortunately, these vulnerabilities in medical devices are becoming more of a concern for health centers across the nation as many are dealing with breaches in wireless health care equipment.
“If you want to outsmart attackers, you have to think like an adversary,” said Vasserman. “It’s not enough just to protect medical devices from environmental risks; they also need to be secured by thinking how cybercriminals may use the systems to cause harm.”
Billy Rios, a world-renowned cybersecurity expert and founder of cybersecurity consulting firm WhiteScope, knows a thing or two about thinking like an adversary. A highly acclaimed white hat hacker, Rios is hired by companies to expose vulnerabilities in their computer systems.
Rios has worked with numerous organizations, including the Pentagon, Google and Microsoft, and in 2013 he linked up with a team of researchers to review vulnerabilities in 300 medical devices ranging from ultrasound equipment to defibrillators.
His team discovered numerous defenseless areas in several medical devices, and Rios’ data helped spark an industry-wide conversation on stricter cybersecurity regulations for medical device suppliers.
Subsequently, the Food and Drug Administration published guidelines to ensure health device companies consider cybersecurity in the design and development of their devices.
Rios applauds the FDA as well as health care organizations investing in security precautions to ensure their work and partnerships with medical device suppliers comply with cybersecurity standards.
“Medical devices are intimate instruments that patients depend on to live, which is the reason why companies have to fix vulnerabilities or there could be fatal consequences,” said Rios. “Although we still have a long way to go with phasing out legacy technology, I’m optimistic about the future as I see more medical centers and health organizations being open about vulnerabilities and doing what is necessary to correct the problem.”
There is a silver lining
Cybersecurity is not just an IT problem, but it is a part of the health care provided to patients.
From ransomware attacks to hacked medical devices, cybercriminals have proven there’s a crack in the health care industry’s tech infrastructure.
As vulnerabilities are discovered in software, Ray recommends hospitals patch affected systems as soon as possible and validate that the patches are actually installed and effective. He also advises getting staff engaged and involved and more aware of their role in defending against cybersecurity attacks. He also recommends medical centers build their cybersecurity framework using the National Institute Standards and Technology (NIST) Cyber Security Framework.
“Hospitals must ensure they are backing up their systems and that they can actually restore their backups when they need them. It is also important to have a contingency plan in case your organization must sustain a downtime of critical systems,” said Ray.
When it comes to protecting patients and medical devices, health care centers must not give hackers a foothold or they will take advantage of the doors of opportunity. Additionally, device security must be incorporated in the design of the product, including in the early planning stages.
There is reason for optimism. Hospitals are learning from past attacks and are taking the necessary precautions to protect their systems. The FDA is working to ensure devices meet cybersecurity standards developed by the NIST. Georgia Gov. Nathan Deal’s nearly $100 million investment in the Hull McKnight Georgia Cyber Center in Augusta is evidence of the seriousness with which farsighted leaders are taking cybersecurity threats.