October 21, 2020 By BlueAlly
This week the CAM focus area is “Securing Internet-Connected Devices in Healthcare.” Insecure systems are a problem across every aspect of the industry, from insurance providers to diagnostic systems and patient records. Here are some common examples:
Disrupted operations: It’s been three years since WannaCry spread across the globe in a massive attack that took down roughly 200,000 devices in a couple of days. Roughly one-third of the NHS Trusts in the United Kingdom were affected, delaying healthcare to 19,000 patients. Microsoft released the MS17-010 patch to mitigate this ransomware, but as of 2019, WannaCry was still attacking about 3,500 systems per hour.
Ransomware entered new territory this year when an attack on Düsseldorf University Hospital in Germany resulted in a delay of care that led to the death of a patient. That incident is still under investigation. Other recent attacks include disruption of clinical trials on COVID-19 testing and treatments and the lockdown of multiple systems at a major hospital chain.
Data theft: Many governments set high standards for patient privacy and data protection, and rightly so. Medical records can be used in identity theft or other types of scams. Reports vary on the resale price of a complete medical record, but it had been up to around $100 per complete record, and tens of thousands of dollars for a database. HIPAA Journal reports that nearly 231 million healthcare records had been breached as of 2019. Medical records of individuals have fallen to roughly $1 each as a result of all of this stolen data making its way to the dark web.
The personal information of a doctor is much more valuable than that of a patient. Medical licenses, DEA licenses, and other documentation can allow a criminal to forge prescriptions and file fraudulent insurance claims. This type of data sells for about $500 on the dark web, though these prices are always fluctuating.
Record tampering: This is terrifying. Researchers in Israel have developed malware that can change the results of diagnostic testing. In a blind study using real CT lung scans that had malware-fabricated cancerous nodules added to the image, radiologists diagnosed cancer 99% of the time. The same test also used malware to remove real cancerous nodules from real scans, and the radiologists diagnosed the patients as healthy 94% of the time. The purpose of this test was to show that insecure hospital systems can have a global impact if a world leader was misdiagnosed.
Why healthcare is being targeted
Healthcare is a high-value target because the data is so important to the stakeholders. Hancock Health paid $55,000 to unlock their systems after a successful attack in August. Hackensack Meridian Health paid a ransom to unlock their systems after a five-day shutdown that caused at least 100 surgeries to be rescheduled. Some health systems have refused to pay a ransom, choosing instead to recover on their own.
In addition to the value of the data, there are foundational problems in healthcare systems that make them an attractive target.
Legacy and custom equipment: The healthcare industry uses uncommon equipment with embedded operating systems. MRI scanners, robotic arms, and other expensive equipment may remain in service after aging into legacy status. It’s just too expensive for some organizations to replace these systems if they are working, but the systems also can’t be patched as easily as a modern device. Another problem is that even modern devices with ongoing support may have to wait for software security updates because the devices run software that is custom-made for that device. Updates for this code are not readily available.
Unmanaged IT: Everything in and around a hospital is a potential exposure point. Systems that are not inventoried properly can be neglected and compromised. It isn’t just workstations and medical equipment; HVAC systems and security devices are also potential entry points. IT teams need to know what devices are connected, what digital communications are necessary for the workflow, and which should be blocked. This is difficult to do in an environment that is still transitioning from its native paper systems to the new digital systems that set the standard for modern healthcare.
Compliance distractions: Because healthcare is subject to patient privacy regulation and severe penalties for violations, IT security teams have not always prioritized the security of systems that fall outside of these regulations. Without comprehensive IT management, medical device workstations may have unnecessary internet connections, or Alexa devices may be found in sensitive environments. These are issues that are easy to miss when compliance alone is the focus of a team.
The industry is growing rapidly, and it is still early in its digital transformation and cybersecurity journey. Awareness has been a key factor in moving the industry forward.
Original post by Barracuda