Patient and hospital records are at serious risk of hacking attacks, according to a two-year study of healthcare facilities by Independent Security Evaluators, based in Baltimore, Md. The 71-page study assessed security at 12 hospitals, two health data facilities, two medical devices from one manufacturer, and two web applications. The assessment took place over a two-year period.
Evaluators attacked medical organizations in controlled settings. The attacks included compromising drug dispensers, patient monitoring systems and check-in kiosks. The attacks on drug dispensers took place after infections using USB sticks that were left on hospital premises. Such attacks carried out by malicious attackers could have resulted in death or patient injury, the study noted.
Deadly Attacks Are Possible
“We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report,” the study noted.
The study’s goal was to create a blueprint for medical facilities to follow in reaching full security readiness. The research was driven by an analysis of different healthcare systems, applications and budgets. Research included interviews with hospitals, data centers, medical device manufacturer employees, and industry thought leaders on ISE’s advisory board.
“These findings illustrate our greatest fear: patient health remains extremely vulnerable,” the report stated. “The findings show an industry in turmoil: lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership, and a misguided reliance upon compliance.”
The two biggest security flaws in the healthcare industry are: 1) the focus is almost completely on protecting patient records, and 2) the existing measures address only unsophisticated adversaries.
Adversaries cited include individuals and small groups, political groups, organized crime, terrorists and nation states.
What’s At Stake For Attackers
Adversaries attack health care facilities because the assets available have high value to them.
Motivations for attacks in health care facilities differ.
An adversary interested in selling large quantities of identifiable information found in electronic health records will attempt to compromise the records of any patient because the records have fairly equal value. Such attacks are untargeted.
Less common is the adversary targeting the electronic health records of a specific individual or group. The value in exploiting this information could be much greater on a per-record basis. Defending against the different types of attacks should be approached differently.
Attacks can also be unsophisticated or advanced. Unsophisticated attacks leverage known vulnerabilities —those that have been previously disclosed in the afflicted systems— or are easily detected with automated tools. Advanced attacks are those leveraging “0-day” vulnerabilities in applications.
None of the hospitals investigated separated information security (IS) from information technology (IT). All IS responsibility fell within IT. This presents a problem since the two departments have conflicting directives (closedness and restriction for IS, openness and functionality for IT).
In many cases, lowest level staff made decisions for deploying and configuring the technology when such decisions should be made at the department level.
Hospitals Lacked Protocols
Hospitals lacked defined, implemented and/or auditable policies. They also lacked network awareness, audit procedures, logging and monitoring procedures, and suffered from insecure network architecture and insufficient access controls.
Facilities exhibited extensive use of legacy systems, weak controls regarding remote access, custom-built, non-security assessed software, and used vendor provided, non-security assessed software.
Ted Harrington, executive partner at ISE, said everything the researchers examined had critical security issues carrying implications on patient health, according to Forbes. While he considered it risky to say everything has issues, everything the researchers examined had flaws. If they had unlimited resources and time, he said they could probably find ways to attack patient health in any aspect of health care.
The findings contribute to an expanding source of evidence pointing to poor security at medical facilities. A large number of medical devices have been considered vulnerable in the past year.
A range of cancer screening technology used easily-crackable passwords in July 2015. Sergey Lozhkin, a senior researcher at Kaspersky Labs, showed how easily he was able to penetrate a Moscow-based hospital’s defenses were by breaking in via the Wi-Fi, a controlled environment.
Featured image from Shutterstock.