Healthcare was the sector of the US most targeted by cyberattacks last year, and by a significant margin, according to specialist healthcare cybersecurity company CyberMDX’s 2020 vision report.
The report found the industry played host to one in three data breaches in the US in 2019 with 82% of companies assessed admitting to being attacked in the past 12 months. Over 40 million medical records were breached in 2019; this represents a threefold increase on 2018.
Black Book Market Research estimates medical device insecurity cost the sector $4bn in 2019, with $1.4bn of that being spend on recovery costs.
Not only does this situation waste money, it puts patients’ personal data at risk, and could lead to a situation where compromised medical devices cause actual physical harm.
What makes this sector so vulnerable?
CyberMDX’s report provides two reasons why this sector is the most cyber vulnerable: motive and means.
The primary motive is financial, and linked to the lucrativeness of patient medical records. “Today a medical record, on average, costs twice as much as a financial record on the market; [this is because] a medical record in the US comes with a social security number, an insurance policy number and bank account data,” Ido Geffen, CyberMDX’s vice-president of product, explains. “Cyber criminals are interested in selling [lucrative] health information on the black market.”
Combine this with the fact hospitals have a very large, interconnected attack surface – a hospital has almost 20,000 connected devices in its network, according to the 2020 vision report –and that these systems are typically inadequately protected with significant security flaws and vulnerabilities.
This situation has only gotten worse since 2015; Geffen explains: “Obamacare in the US required hospitals and healthcare delivery organisations to move their data online; [so] healthcare was very quickly transformed into a hyper-connected environment”. They were unable to keep up with the “pace of change” needed to keep this environment secure against cyberattacks.
A huge issue the sector has is that “the bulk of [its] resources go into patient care,” Corelight principal security strategist Richard Bejtlich explains. Although this is incredibly important, Synopsys senior security strategist Jonathan Knudsen notes that, unfortunately, it means “cybersecurity has often been neglected or ignored”, which “presents a wide and porous attack surface to adversaries.”
Spotlight on connected medical devices
CyberMDX’s report found that one in ten devices in a hospital’s network is a medical device, each one presenting their own cybersecurity challenges.
Geffen explains “a lot of medical devices were manufactured a decade ago, so they are running on old operating systems” and “use non-encrypted management protocols.” Unlike with customer technology, these devices are not necessarily subject to regular patching or updates. This situation is not helped by each update requiring regulatory approval, Geffen explains.
Knudsen adds “regulatory oversight lengthens product development times and makes the rapid, incremental updates that are typical of software products difficult to properly implement in a healthcare environment.”
Furthermore, since medical devices – such as CT or MRI scanners – are used 24/7, Geffen asks “when do you choose to shut down an MRI device for 12 hours to do an update?” This is a much harder decision than it would be for other industries.
Therefore, it is hardly surprising medical devices are disproportionately affected by software security flaws on the rise in 2019, particularly BlueKeep and URGENT/11, as CyberMDX’s report finds.
BlueKeep is a Windows vulnerability, which targets unpatched devices running on earlier versions of the operating system. CyberMDX’s analysis found that 45% of connected medical devices are exposed, which is two times higher than the average connected device.
URGENT/11 runs on a much more niche operating system called VxWorks, Geffen explains. CyberMDX’s investigation found that 35% of connected medical devices could be exposed to this vulnerability, five times higher than the average for all networked devices.
A related problem is that many hospitals are not aware of how many and what devices they have, meaning they do not know what security issues may be associated with these device; remember, each device has different hardware, firmware, software, interoperability, backward capability and connectivity characteristics. This also means they wouldn’t know if they’re affected by a new vulnerability if a manufacturer were to announce one in their system, Bejtlich notes.
The CyberMDX report notes that identifying which devices are subject to what vulnerabilities is “no small task”, however, these cyber vulnerabilities are putting patients at risk.
When lifesaving medical devices turn deadly
CyberMDX’s report cited a Greenbone Networks report’s findings that there are 1.19 billion medical images currently available on the internet, with 30% accessible without a password or any other type of authentication, and nine million patients being affected globally.
However, even more terrifying, hacking into medical devices can give cybercriminals the ability to “take control of devices and cause them to stop working”, Knudsen explains. Geffen gives two examples; the first is “a  study from Ben-Gurion University of the Negev in Israel about how hackers can manipulate CT and MRI results.” The researchers showed that tampering with these scans aided insurance fraud, ransomware attacks, cyberterrorism and even murder.
Using lung cancer as a case study, the Ben-Gurion scientists showed that attackers had control over the number, size, locations of tumours without compromising the resolution of the 3D scan. Both radiologists and artificial intelligence algorithms were unable to differentiate between altered and correct scans.
Secondly, Geffen notes hackers using cyber vulnerabilities to alter the doses of drugs being administered to patients through syringe pumps. CyberMDX investigated the Alaris pump and found it could by hacked to start or stop administration of doses, increase the pump rate by up to 1000 times and silence alarms.
Bejtlich notes that security researcher Barnaby Jack has been demonstrating for around a decade that insulin pumps can be hijacked to deliver fatal doses to diabetic patients. Jack is most famous for workshopping software available in hospitals that can corrupt pacemakers and remotely send a deadly 830volt electric shock.
Not just something that you would expect to happen in James Bond or Homeland, the latter example is partly why former US vice-president Dick Cheney, fearing assassination, had the wireless connectivity removed from his heart implant in the 2013.
A modern priority: cyber securing healthcare
“Solving for this problem requires the medical community to recognise that cyber threats are as real a possibility as any transmissible medical condition and look at their cyber response plans in the same light as they would any medical protocol,” noted Synopsys senior principle consultant Tim Mackey.
Bejtlich and Geffen agree the first thing hospitals need to do is gain visibility of all the devices in their network. Only once you have “very good, in depth visibility… can you do a risk assessment” Geffen explains.
This, in turn, Bejtlich emphasises, allows hospitals to act appropriately and make necessary budget priorities to deal with these vulnerabilities; “without awareness you are just guessing at what the problem is, so you could be spending a lot of money and [putting a lot of] effort in places that make no difference.”
Shared responsibility with manufacturers
The report also calls out manufacturers and their “spotty record when it comes to security”. As the connected environments medical devices exist within shift and become more complex, there is need for manufacturers to also step up and improve their cybersecurity focus.
“One of the core problems with medical device security is the liability gap [between hospitals and vendors]”, Geffen notes. His colleague, CyberMDX vice-president of marketing Jon Rabinowtiz, adds: “There are tremendous gaps in defining who is responsible for what. Manufacturers often feel that once a device is on the shelf, they are no longer responsible, that’s really not the case.”
“There really needs to be an effort for all stakeholders to come together to work to ensure safety for patients,” Rabinowitz argue. However, he notes that CyberMDX is starting to see a positive shift in this direction.
There is further reason for optimism given that other sectors – such as finance and defence – have managed to overcome this challenge and, as Betjlich notes, the healthcare sector can learn lessons from their experience.