Hospitals hacks put patient health at risk

The recent ransomware attacks on hospitals reveals risks to not only patient data, but more importantly patient health

A report that highlights the vulnerabilities in medical devices and the risks they pose to patient health issued by Independent Security Evaluators comes at an opportune time as the past month has shown that hospitals are becoming targets for criminals.

Ted Harrington, executive partner at Independent Security Evaluators said, "It’s a scary report in a lot of ways, but our hope is to organize an industry in recognizing these problems. We are trying to make an entire industry start changing, especially one that is very regulated and complex. The conversations need to start happening."

What the report also evidenced is that the health care industry, guided by strict regulations for protecting patient data, "Has focused almost exclusively on protecting patient data and not patient health. The focus is entirely on making sure the patient’s record is protected and not tampered with, but that doesn’t directly correlate to protecting the patient" Harrington said.

These findings are not entirely new according to security expert Billy Rios, who said he's been fighting for stronger security in medical devices for five or six years now. The vulnerabilities in infusion pumps that Rios brought to light last year are but one example. 

"The Telmed pump is not even a vulnerability. It's poor design, poor architecture. There is no patch for that. You can’t patch the fact that a pump is running. It requires significant configuration changes," Rios said.

Regulations are not the panacea to the issues of cyber security, and Rios said that he dislikes regulations. At issue, though, is the reality that unless vendors are compelled to do something, they won’t.

Ellen Derrico, senior director of health care and life sciences, RES

Rios said, "They have formal guidance for what they call pre-market solutions. You have to follow these to get clearance to sell your product. They have guidance, but guidance is up to you to follow." 

Hospitals are doing all they can to minimize the risks of these devices, but for smaller hospitals, the budgetary limitations are confining. "They don’t have the budget or the staff, and device manufacturers don’t care about those folks," he said.

The general guidance, said Rios, is to put devices on their own networks. The problem is that hospitals have thousands of  medical devices. "Having all devices segregated creates a burden for the delivery organizations," Rios said.

Many medical device vendors recommend that hospitals segment the devices, according to Rios, but he said, "That doesn’t mean every hospital is doing that. A small hospital is not doing that. Instead all of the devices are connected. More mature hospitals are the ones that are actually doing the segmentation."

"Hospitals that have money and staff, those guys are segmenting devices as much as they can. Trying to segment as many of these devices becomes unwieldy from an architecture standpoint. No sane person would design their network this way," Rios said.

Israel Levy, CEO, BUFFERZONE, disagreed arguing that today's technology allows for very flexible networks. Levy noted that the banking industry in some countries dictates that all the activities taking place with financials and money must be executed on a network not directly connected to the Internet. Still others execute a strategy of sub networks which allows them to keep the most important components in a separate location.

"Those separate locations create better security. You then regard subnets as insecure and take measures to transfer from the external to a secure network. These technologies are available today. As long as the strategy is to keep all the devices on a separate network, they will also need technology that allows the passing of information," Levy said.

Though none of the medical device vendors contacted were available to comment, security industry experts posed some technology solutions to mitigate the risks to patient health.

Jason K. Marchant, enterprise cybersecurity risk officer at Partners HealthCare System, said, “Most medical devices can be connected to a hospital’s network, either wired or wirelessly, and communicate with the electronic health record (EHR)." Hospitals, in allowing this communication, might inadvertently subvert security controls.

For example, Marchant said, "Ports may be opened in a firewall to allow the medical device system to communicate with the EHR but these ports may also be known to distribute malware.”

To best mitigate these risks, Marchant said, “Devices should be allocated to their own IP space and operate in their own virtual LANs. This can allow for more fine-grained control over the systems that can and cannot communicate with each other. It may also expedite the detection of anomalous activities on the network.”

Though Marchant believes that security is a shared responsibility, he said, "The healthcare industry, especially hospitals without dedicated cybersecurity staff, could benefit from detailed vendor-provided documentation that describes the security controls configured by default in medical device systems and those that have not been configured." 

Ellen Derrico, senior director of health care and life sciences from RES said, "In reality, every hospital is a little different about how their landscape works. If the devices are all on the network as we saw from Hollywood Presbyterian, you are going to have vulnerability."

Everyone needs to be educated about the risks with the growing number of network connected devices because, "Anywhere there is a point of entry between a device and a system there is a vulnerability," Derrico said.

At the 2016 HIMSS Connected Health conference, Derrico spoke about the need to have technology in place to encrypt. "Hospitals need to have a white and black list of executable files. They need to elevate privileges so that not everyone can get administrative access, and they need to put in controls very carefully based on roles," Derrico said.

Other ways that security teams can take action to protect the network and patient health, said Derrico, "Have blanketing that protects the network and devices that is read only so that a hacker can’t write something on a device. Lock device ports so that someone can’t get information off of it from a stick."

There is both a technology piece and an education piece because if they are attacked, the whole network can get infected and affect the devices. Does this mean that protecting the network, where patient data lives, will in turn protect the devices?

Chris Doggett, a senior vice president at Carbonite, said that he was not trying to be critical of the ISE survey as it is a comprehensive blue print, but "They missed the mark a little. There are individual or small group actors using un-targeted and unspecific threats to get money. Those can directly impact patient health."

The kinds of threats and malicious actors assumed in the report, Doggett said, "The area of focus and the adversaries they highlighted--organized crime, terrorist, nation states--while those are true in theory, you’d be hard pressed to find real-life examples thus far where patient health was impacted by those threat actors in that manner."

While it’s important to focus on cybersecurity’s impact on patient health, Doggett said, "There are other categories that are more rampant today and they are going to unintentionally target patient health. Rasomware is a higher probability than an organized crime unit or nation state targeting a specific hospital."

Join the CSO newsletter!

Error: Please check your email address.

More about CarboniteCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts