Cybersecurity in the Healthcare Industry
Introduction – Why the Healthcare Sector is a Preferred Target for Cyber Attacks
IBM dubbed 2015 "the year of the healthcare breach." On the report of the data protection group the Ponemon Institute, criminal attacks in the healthcare are up 125% since 2010 and the likelihood to occur in this particular industry is greater than any other sector in the economy. To support this contention with more facts, a recent study reveals that cyber criminals raided the healthcare sector more than any other sector in 2015, with more than 100 million healthcare records being compromised. The Ponemon Institute's Fifth Annual Study, on Medical Identity Theft declares that 90% of healthcare companies had been hacked, which led to exposing millions of patients' medical records. Not only healthcare providers such as Anthem are being attacked, but major health insurers (e.g., Blue Cross Blue Shield) fell under the scourge of cybercrime. According to Bloomberg Business, criminal acts against healthcare industry have increased more than two times in the past five years, totaling up to $6 billion per year in costs.
Fig. 1
Implementing HIPAA Controls
But what makes healthcare industry so attractive target? The short answer is the lax cybersecurity combined with the opportunity for cybercriminals to make it a lucrative source of revenue.
Photo by NEC Corporation of America with Creative Commons license.
Medical profiles, for instance, can fetch a good sum, something like ten times the price of simple credit card numbers (i.e., approx. $10). Medical records in the U.S. contain patients' social security number, home address, phone number, emergency contacts, email address, health insurance information, medical history and possibly driver's license numbers, and credit card payment information. Cyberthieves may use such kind of data trove to launch spear phishing schemes, facilitate other social engineering frauds or simply steal medical identities. Note that unlike financial information; healthcare information is a type of personally identifiable information (PII) that is essentially non-recoverable.
Common Vulnerabilities in Hospitals and Medical Devices
According to Elliott Franz who is a CEO at Virtue Security, an ethical hacking team, now "it's easier than ever to gain access inside a hospital's network and compromise a device," as compared to years ago when "organizations used to have an internal network, and they could secure the outside of it to make sure an external hacker could not penetrate it."
Thomas Lewis, Partner-in-Charge at LBMC Information Security, points out that securing hospital environment is challenging because of the "open physical access that hospitals have to maintain" and the fact that "wireless networks are scattered throughout a hospital connecting their corporate systems and their medical systems, providing a target-rich environment."
Unfortunately, wired equivalent privacy (WEP), the first generation of wireless encryption, which is a predecessor of Wi-Fi-Protected Access (WPA2), often remains the sole encryption protection for the majority of healthcare networks and medical devices.
The Department of Homeland Security's Industrial Control Systems Cyber Security Emergency Response Team reported in 2013 that 300 medical devices manufactured by 40 different companies may have vulnerabilities associated with password settings set to allow for privileged access to these devices (i.e., the so-called hard-coded passwords), which would under normal circumstances be used only by service technicians. Also, medical devices keep on running on default passwords and outdated software (e.g., antiquated OS such Windows XP).
Rick Judy, a principal in PwC's health industries advisory practice, asserts that the bulk of the vulnerabilities in the Internet-connected medical devices are "significant" and "pervasive." With PWC estimating that the market for Internet-enabled healthcare products will reach the staggering $285bn by 2020, there is no surprise that the security of medical devices has become a thorny subject. Medical devices are part of the Internet of Things now, as more and more medical apparatuses are designed to interact with the Internet. While this could be helpful, due to the fact that test results and medical images can be examined within seconds, for instance (and the same goes for mobile access to real-time data residing in bedside monitors), it is not that great security-wise, as technological convenience is provided irrespective of the intentions of the person who access these devices and networks.
Exploiting Vulnerabilities in Medical Devices
Fig. 2
Dangers associated with "medjacking" (that is, hijacking of medical devices) are real. "Criminals can use these opportunities to facilitate attacks on other systems remotely, send maliciously and spam e-mails, steal personal information, or interfere with physical safety," the Federal Bureau of Investigation warned. This statement has been proven in the past by white hat hackers such as Barnaby Jack and Jay Radcliffe through breaking into the security systems of pacemakers and insulin pumps (Read "H@acking Implantable Medical Devices").
TrapX Security is a company based in San Mateo, CA., whose team was behind a research project involving 60 hospitals. In a controlled environment consisting of virtual replicas of specific medical devices, the security analysts established after a period of 6 months that every one of those devices had been infected by malware. "Spear phishing" hospital staffers was one of the particular methods used by cybercriminals to make a breakthrough.
Hackers succeeded in smuggling a piece of malware from a computer at a nurses' station, through the hospital network, into blood gas analyzers, radiological machines, and other devices. The majority of these machines ran outmoded operating systems, such as Windows 2000 and Windows XP. "These medical devices aren't presenting any indication or warning to the provider that someone is attacking it, and they can't defend themselves at all," adds Carl Wright, a general manager for TrapX.
Once having compromised these defenseless medical devices located everywhere in the hospital, hackers could lurk inside and use them as a springboard for further penetration. It seems that personal medical data was in the cross hairs of the malware.
Here is how the scheme works further: the criminals logged on from their command-and-control server to a blood gas analyzer; then, they moved laterally across the network to reach a data source, pulled the medical records back to the blood gas analyzer, and then out to the command & control server. Voilà.
Fig. 3
Another team of security researchers planted benign malware into USB sticks with the hospital's logo on them and dropped the thumb drives where medical personnel would be tempted to pick them up. Within 24 hours, hospital staffers had used the rigged sticks at nursing stations and the infection spread out (For more information see "Securing Hospitals" by Independent Security Evaluators).
One of the probe attacks launched by the researchers targeted an external web server at one of the hospitals. By exploiting vulnerabilities in the server, the security team assumed control of the machine, getting a foothold into the internal network, which allowed them to run scans to find vulnerable patient monitors. Hacked monitors can be forced to emit false alarms, display wrong vital signals, disable the alarm altogether – actions that could lead to a patient's serious injury or even death.
Fig. 4
Seeking Treatment: Healthcare System is Ransomware-prone
Ransomware is a computer virus that encrypts victim's data and demands ransom. Although ransomware attacks are on the rise in almost every sector, with the FBI investigated complaints of such attacks that cost $23.7 in 2014 and $24.1 in 2015, the health-care industry is deemed to be particularly vulnerable to those criminal acts.
This trend seems to on the rise because high-profile cyber attacks against healthcare institutions continue to draw public attention in the first quarter of 2016:
In February, the Californian Hollywood Presbyterian Medical Center succumbed to cyber criminals' demands and paid them $17,000 in bitcoins to retake control of the hospital computer system.
Nearly a month later, one of the major healthcare corporations in the U.S. – the Washington D.C.-based MedStar Health Inc. – fell victim to a cyber extortion scheme as well, and paid $19,000, again in bitcoins, to restore encrypted file.
During that same week, Alvaro Hospital Medical Center in San Diego was struck by the same type of cyberattack, but reportedly they declined to pay the ransom.
Source: Malware Attacks On Hospitals Put Patients At Risk
Unless medical staffers are accustomed to switching smoothly to paper records which have to be faxed or hand-delivered, not having access to patient information may be detrimental to the quality of health-care services they provide, even having to turn patients away, as happened in several of the cases mentioned above.
"It's a good reminder that you don't have to attack the medical device to attack its ability to deliver care," Tim Erlin, director of IT security and risk strategy at enterprise cybersecurity firm Tripwire, told CNBC. "The IT infected was things like email, but the inability to access those systems degrades the ability to deliver care."
PAY OR ELSE…
Whereas the official position of FBI is they do "not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes," some law enforcement authorities not only approve of paying up the ransom, but they did so in situations in which they were the victims themselves.
Concerning the question of whether one should pay the ransom, the vice president of the information security technology vendor Fortinet admits that ransomware proves to be a crafty tactic "where an attack is launched, and the ransom is modest, just enough where many organizations pay it to make the problem go away. But demands are soaring, and the problem is organizations are paying. Ransomware will get worse before it gets better."
Photo by Christiaan Colen
with Creative Commons license.
Cybersecurity Best Practices concerning Healthcare Industry
In spite of the craftiness of these threats, there are measures that every hospital or health care system can adopt to bolster its cybersecurity against cyber crooks and block any attempt of ransomware payload to execute itself inside the targeted systems:
Back up the data
This is the first, and foremost precondition for one to survive the aftermath of a ransomware attack, and "[y]ou might think it seems so obvious, but look at the ransomware cases…ransomware works when organizations do not backup their data and thus have no choice but to pay in order to get it back. There are many cases where organizations simply have not backed up their data," said the director of the Georgia Center of Innovation for IT, Glen Whitley.
Simply put, "[if] the hospital has its critical data backed up, then there is not much data to be held ransom," concludes the CEO of Northport cyber security firm Code Dx, Anita D'Amico.
Some security organizations specialize in providing real-time backup capabilities.
Keep in store a 'gold image' of systems and configurations
As Adrian Sanabria, a senior information security analyst at 451 Research explains: "A gold image is a term for essentially what an organization needs to get things back to normal, an image an organization can place back on systems to be back up and running very quickly." Consequently, one theoretical solution to all ransomware nightmares is keeping a data backup online in combination with maintaining a gold image, since the backup will preserve all of your current data on the one hand and on the other hand the gold image will make sure the configuration is reset back to Day One.
Prepare an action plan for system hijacking
Assume the worse and hope for the best – healthcare organizations should conduct a threat assessment and have a 'business continuity' plan specifically in the events of ransomware attacks. Identify all critical systems and protect them most.
Establish peer partnership and cooperation with law enforcement authorities
Knowing the latest trends is always important. For example, a hospital under a cyber attack can share immediately threat specifications to prevent the negative consequences from spreading to other institutions in the same sector. Furthermore, IT departments should consult on a regular basis with law enforcement agencies or information security companies to keep abreast with latest cyber threats in the healthcare industry.
The FDA also regularly organizes workshops for manufacturers, such as the one in January 2016 which urged the companies in the sector to take "a total product life-cycle approach, from design to obsolescence."
Adopt the holistic approach
An organization cannot merely focus on email protection out of fear of phishing probes. The multi-layered approach works best when correlates data from various products – an example of such data is a network log, an end-point log and a firewall log – and use that to create security intelligence.
Network segmentation – in other words, separating a computer network into several partitions – is a technique that limits continued criminal advancement across the network.
Test your security measures
It is imperative that healthcare institutions put their security preparations to the test. That means all of it – from the back-up and golden image to contingency procedures and staff roles.
User education
An FBI official firmly believes that "Companies can prevent and mitigate malware infections by utilizing appropriate backup and malware detection and prevention systems, and training employees to be skeptical of emails, attachments, and websites they don't recognize." (More on Phishing)
No matter how good your defensive capabilities are regarding technology, humans prove to be the weakest link in the security chain. "We've found very little end-user training going on at healthcare providers, and security, at the end of the day, is really a people issue – a PC does not click on a phishing e-mail or visit bad web sites, that's a person doing these things because they have not been properly trained and do not understand the risk and the issues."
Not surprisingly, ransomware attacks typically occur when someone at the hospital opens malicious file attached to an email or visit rigged websites that exploit vulnerabilities in victims' systems. So, everyone should be required to visit training courses, from receptionists and janitors to medical personnel and CEOs. (Read 3 Common Social Engineering Scams)
Regulatory Oversight
Regulators are taking notice of current developments in the medical industry as well. The U.S. Food and Drug Administration (FDA), among other things, exerts oversight over medical device production and approve their use.
In July 2015, the FDA published advisory that cautions hospitals against dangers of using the Hospira Symbiq infusion pump caused by lax cybersecurity that "could allow an unauthorized user to control the device and change the dosage the pump delivers."
With this regard, Suzanne Schwartz, a person responsible for coordinating cybersecurity initiatives at the FDA's Center for Devices and Radiological Health, makes the following statement: "It's viewed as precedent-setting. It's the first time we've called out a product specifically on a cybersecurity issue."
January 20, 2016, is the date when the FDA released "Postmarket Management of Cybersecurity in Medical Devices" – guidance that strives to clarify all cyber security measures that vendors should take a heed of once their products have been FDA approved and reached hospitals.
The FDA's guidelines set out basic medical device makers' responsibilities, which encompass the entire life-cycle of their products from the conception to obsolescence phase. To find the right balance between what risks are seen as important and what are considered secondary, the FDA concentrate its efforts on devices' essential clinical performance. After a manufacturer determines the most crucial functions its device possesses regarding safety and usability, he will be able to identify more effectively how to defend them, for example, through triaging cybersecurity issues based on the risks they pose to patients. Hence, the presence of vulnerabilities does not have to trigger always patient safety concerns.
"Device enhancements" is the term used in the FDA's document to encompass ordinary patches and security-related software upgrades. Unlike product modifications, these changes do not have to be reported to the agency. On the other hand, any known vulnerability found in medical devices that (1) is likely to cause death or serious adverse event, or (2) cannot be removed within 30 days must be timely reported.
The FDA recommends device manufacturers to take up a "coordinate vulnerability disclosure policy and practice" and participate in an information sharing and analysis organization (ISAO). Lastly, the regulator advises them to implement working risk management programs in places and maintain documentation that will handle complaint procedures, quality audits, preventive and corrective actions, risk analysis, software validation and servicing.
Conclusion
Although there are no known real-life cases of hacking medical devices to date, the security researcher Billy Rios is convinced that "[s]ooner or later, hospitals would be hacked, and patients would be hurt." After all, we have seen the series of ransomware attacks during the first quarter of 2016 and a couple of data breach cases in the years before that. What other proof do we need to realize that there is a serious problem here?
Consequently, some measures need to be taken for strengthening the cybersecurity of the healthcare industry as a whole, whether that will be regulatory initiatives or some solution to the common security problems proposed by the most influential organizations within the sector. It is to be noted, however, that the government should not get in the way of the sectoral self-regulation, very much like what we see in the Internet of Things market. Moreover, people need the best healthcare services out there right here, right now, not once all cyber security flaws are fixed. On that note, a reasonable balance must be stricken between security and convenience.
Reference List
Balakrishnan, A. (2016). The hospital held hostage by hackers. Available at http://www.cnbc.com/2016/02/16/the-hospital-held-hostage-by-hackers.html (19/05/2016)
Clinical Informatics News Staff (2016). FDA Recommends Steps for Protection of Medical Devices from Cyber Attacks. Available at http://www.clinicalinformaticsnews.com/2016/1/20/fda-recommends-steps-protection-medical-devices-cyber-attacks.html (19/05/2016)
Cox, J. (2016). Possible 'ransomware' attack still crippling some MedStar hospitals' computers. Available at https://www.washingtonpost.com/local/likely-ransomware-cyberattack-still-crippling-medstar-health-computers-at-some-hospitals/2016/03/30/a82c9fa8-f687-11e5-8b23-538270a1ca31_story.html (19/05/2016)
Dimov, D. (2014). Human-implanted RFID chips. Available at /human-implanted-rfid-chips/ (19/05/2016)
Enriquez, J. (2015). Medjacking: How Hackers Use Medical Devices To Launch Cyber Attacks. Available at http://www.meddeviceonline.com/doc/medjacking-how-hackers-use-medical-devices-to-launch-cyber-attacks-0001 (19/05/2016)
Goldberg, D. and Baird, A. (2016). As cyber attacks rise, hospitals seek to protect medical records. Available at http://www.capitalnewyork.com/article/albany/2016/04/8596612/cyber-attacks-rise-hospitals-seek-protect-medical-records (19/05/2016)
Gorenstein, D. (2016). Hospitals Could Be Doing More to Prevent Cyber Attacks. Available at http://sideeffectspublicmedia.org/post/hospitals-could-be-doing-more-prevent-cyber-attacks (19/05/2016)
Hug, A. (2016). Healthcare Organizations Beware: Hackers Are Coming For Medical Records and PHI. Available at https://www.zenedge.com/blog/healthcare-organizations-beware-hackers-are-coming-for-medical-records-and-phi (19/05/2016)
Kuchler, H. (2015). Lack of cyber security draws hackers to hospital devices. Available at http://www.ft.com/cms/s/2/37034b82-94ef-11e5-bd82-c1fb87bef7af.html#axzz48ifuwhtj (19/05/2016)
LaChance, N. (2016). Malware Attacks On Hospitals Put Patients At Risk. Available at http://www.npr.org/sections/alltechconsidered/2016/04/01/472693703/malware-attacks-on-hospitals-put-patients-at-risk (19/05/2016)
Mohney, G. (2016). Hospital Hack Spotlights How Medical Devices and Systems Are at Risk. Available at http://abcnews.go.com/Health/hospital-hack-spotlights-medical-devices-systems-risk/story?id=37032717 (19/05/2016)
Ostashen, A. (2016). Medical Device Cyber-Attacks: Ounce of Prevention Worth a Pound of Cure. Available at http://www.healthcarebusinesstoday.com/medical-device-cyber-attacks-ounce-of-prevention-worth-a-pound-of-cure/ (19/05/2016)
Paul (2016). FDA: Medical Device Makers Urged To Secure Post Market Devices from Cyber Attack. Available at https://securityledger.com/2016/01/fda-medical-device-makers-urged-to-secure-post-market-devices-from-cyber-attack/ (19/05/2016)
Reel, M. and Robertson, J. (2015). It's Way Too Easy to Hack the Hospital. Available at http://www.bloomberg.com/features/2015-hospital-hack/ (19/05/2016)
Sisson, P. (2016). Alvarado hospital fighting cyber attack. Available at http://www.sandiegouniontribune.com/news/2016/mar/31/alvarado-malware-attack/ (19/05/2016)
Siwicki, B. (2016). Tips for protecting hospitals from ransomware as cyberattacks surge. Available at http://www.healthcareitnews.com/news/tips-protecting-hospitals-ransomware-cyber-attacks-surge (19/05/2016)
Turner, R. (2015). 'Medjacking' risk: Warning hackers could target wireless medical devices. Available at http://www.abc.net.au/news/2015-12-03/life-saving-wireless-medical-devices-at-risk-of-cyber-attack/6996298 (19/05/2016)
Vaas, L. (2016). Hospitals vulnerable to cyber attacks on just about everything. Available at https://nakedsecurity.sophos.com/2016/02/26/hospitals-vulnerable-to-cyber-attacks-on-just-about-everything/ (19/05/2016)
Vanian, J. (2016). Hollywood Hospital Pays Off Hackers To Restore Computer System. Available at http://fortune.com/2016/02/18/hollywood-hospital-hackers-computer-system/ (19/05/2016)
Witt, R. (2013). The Second Vector of a Healthcare Cyber Attack - Connected Medical Devices. Available at https://blog.fortinet.com/post/the-second-vector-of-a-healthcare-cyber-attack-connected-medical-devices (19/05/2016)
Young, C. (2015). Why hackers want your health-care data. Available at http://www.cnbc.com/2015/05/27/why-hackers-want-your-health-care-data-commentary.html (19/05/2016)
Zorabedian, J. (2016). Why cybercriminals attack healthcare more than any other industry. Available at https://nakedsecurity.sophos.com/2016/04/26/why-cybercriminals-attack-healthcare-more-than-any-other-industry/ (19/05/2016)
Diagram 1 is based on an IBM diagram available at https://www.hipaasecurenow.com/index.php/average-cost-per-lost-health-care-record-is-363/ (19/05/2016)
Implementing HIPAA Controls
Diagram 2 is provided by GAO in their "Information Security of Active Medical Devices" report (page 20). Retrieved on 19/05/2016 from http://www.gao.gov/assets/650/647767.pdf