By Daniel Trivellato, vice president of healthcare and cyber risk solutions, Forescout.
A recent honeypot study revealed that every 20 seconds, somewhere in the world, a cybercriminal targets a medical imaging device. In the time it takes to check a patient’s vital signs, multiple attackers may be actively trying to breach the very systems designed to provide vital healthcare information and keep us alive.
While connected devices have become increasingly prevalent in healthcare, many healthcare organizations fail to adequately protect them. Recent research examining over 2 million devices across 45 healthcare organizations revealed that approximately half of all devices in healthcare networks are now Internet of Medical Things (IoMT), Internet of Things (IoT), operational technology (OT) or building automation devices. These are more than simply administrative systems, these devices play a direct role in influencing patient outcomes, including patient monitors, infusion pumps, and imaging systems.
Daniel Trivellato
Of the 306 medical device vendors observed, the research finds that medical devices are running on 110 different operating systems, making the complexity of securing these networks truly staggering.
While household names like Philips, GE Healthcare, and Baxter are major players in the space, these organizations only represent 40% of the vendor landscape. The remaining 60% is a fragmented maze of smaller providers, each with its own potential vulnerabilities.
Perhaps most alarming is the dramatic rise in exposed Digital Imaging and Communications in Medicine (DICOM) servers. Between August 2022 and May 2024, we’ve seen a 27.5% increase in exposed servers, with the majority of exposed devices located in the United States, India, Germany, Brazil, Iran, and China. Across all IoMT devices, our research uncovered 162 vulnerabilities, with half of the most critical flaws found in Windows-based systems.
Recent breaches have had real-world impact on both health systems and patients. In 2023, healthcare organizations experienced an average of 1.6 data breaches per day, with each incident affecting approximately 200,000 patients. This isn’t just about compromised data – it’s about real people whose private medical information is at stake.
When personal medical device data is stolen, patients can face serious personal risks, including identity theft, insurance fraud, and emotional distress. Many cybercriminals leverage stolen medical records to create sophisticated phishing schemes, impersonate patients to obtain prescription medications, or even blackmail individuals with sensitive health information. Patients may also experience emotional distress following a breach of personal information, feeling vulnerable knowing their most intimate health details have been exposed.
By Thomas Pace, vice president, global enterprise solutions, Blackberry Cylance.
Thomas Pace
Recently, hacking group Cozy Bear attempted to steal COVID-19 vaccine research from multiple organizations in Canada, the United States, and the United Kingdom. The hackers, reportedly under the employ of the Russian government, scanned targets for network vulnerabilities in an effort to infect them with network tracking and file exfiltration malware. This is not the first time research into the novel coronavirus has been a target and it is unlikely to be the last.
On some level, this news is unsurprising, as healthcare has always been an attractive target for cybercriminals.
Patient data is a valuable commodity on the black market, often containing everything one would need to know in order to commit various types of fraud. Access to critical systems can be a literal case of life and death, and these systems are often so interconnected that an attack may spread like wildfire. Finally, many healthcare agencies lack the time and resources to prioritize cybersecurity to the degree that they should.
Yet this is also a unique situation. We are currently in the midst of a global pandemic, a period of heightened sensitivity and unprecedented digitization. People in all industries are exhausted and anxious, a combination which makes them particularly susceptible to mistakes.
Moreover, vaccine research is a priority for governments across the world. Each seeks to lessen the virus’s impact on their citizenry and economy, with many employing state-sponsored actors to give themselves a leg up. Rank-and-file criminals, meanwhile, are also perfectly willing to exploit the situation for their own gain.
At all levels, phishing campaigns remain the number one attack vector. There’s no need to waste effort trying to break through an organization’s defenses if one can simply trick an employee into granting access. Agencies researching the COVID-19 vaccine are particularly susceptible to targeted phishing attacks due to the collaborative nature of their work.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
Network Shutdown
As we become more and more reliant on electronic medical records, the susceptibility of a hospital suffering a cyberattack or struggling because of a network failure is continuing to increase. To reduce the risk of this happening, all hospitals will need to have an extremely complex network security system that is resistant to hackers. They also need to make sure they have back-up files in case they have to deal with network failure.
Telemedicine
Telemedicine is the practice of remote patient care, so the patient and the provider won’t be physically present with each other. This modern technology has been developed to enable consultations with patients over easy and robust telemedicine software. Although this is convenient, it may create challenges when trying to ensure the quality of care. If things go wrong, then a lawsuit could be filed for medical negligence. In these cases, a Miami medical malpractice attorney should be contacted.
Wearables
Recently, there has been a huge development in medical device technology and there is a wide range of medical devices on the market. These wearable sensors are constantly transmitting a vast amount of health information to doctors. This has already been proven to increase the expectations of patients because they believe doctors are constantly monitoring and will act upon this.
For decades now, hackers have been cashing in on financial data. The routine has been constant. A hacker finds their way into a site, steals financial information belonging to the site’s visitors then uses their personal information to create fake credit cards. These are then used to steal money from unsuspecting individuals. However, this trend hit a snag once financial institutions found ways of stopping such activities. This was frustrating to these intruders considering that most times, their efforts were rendered futile after the cards they made are blocked.
These people then discovered a new cash cow that allows them to reap money from insurance companies. Typically, hackers get as little as $1 for one credit card, which is a meager payment for such a dangerous job. However, healthcare information pays well in that they create counterfeit health insurance cards, then make cash claims in fabricated hospitals. Considering that the demand for this data is high, healthcare data attacks have been on the rise, targeting several hospitals, and they have managed to affect over 11 million people.
How do you keep your data safe from these online breaches?
With such high stakes, each hospital needs to come up with security measures that ensure their data is always safe. Look at some of the possible ways you can secure your information.
Asses the risks
You cannot solve a problem if you are not aware that it even exists in the first place. Check for loopholes that leave your hospital vulnerable to these attacks. For instance, a hospital with few employees leaves specific sectors such as the IT section unmanned, which makes them susceptible to being attacked. You must approach this by looking at the most sensitive areas of a company and find out the consequences that you may face if your data is stolen.
Appraise all agreement with business partners, vendors and client every year
Know the type of information that the people and entities you interact with access. Learn what your contract entails and review the speculations regularly. Long before new laws were formed, third-party companies never had any agreements with any of their partners. Whenever they got a hold of information, it was up to them to know what they wanted to do with such intel. In this era, such loopholes can lead to massive scandals, which is why you need to evaluate every past action and put stringent measures to ensure anyone who encounters sensitive information knows the implications of going against the agreement. Do not give a lot of authority to vendors and ensure that they sign privacy policies that bar them from sharing or using private data.
Summarizing the outcomes of 2018, the experts noted an increase in the share of targeted attacks that grew throughout the year reaching 62 percent in Q4. By and large, targeted attacks became the favorite method of attackers (55 percent) in 2018, unlike the previous year.
The number of attacks aimed at data theft keeps growing. A statistical analysis of 2018 showed that attacker interest was mainly focused on personal data (30 percent), credentials (24 percent), and payment card information (14 percent).
In 2018, healthcare institutions in the U.S. and Europe were at the center of attention from hackers, receiving more attacks than even banks and finance. In addition to stealing medical information, hackers also demanded ransom for restoring the operability of computer systems. Hospitals were ready to pay hackers, patient lives being at stake. According to experts, attackers got hold of personal data and medical information of more than 6 million people.
DDoS attacks became more powerful. Thus, 2018 was marked by the two biggest DDoS attacks in history, reaching 1.35 and 1.7 terabits per second. IT companies were the second-most common target of DDoS attacks, after government institutions. Hackers disrupted the operations of internet service providers and game companies, which are particularly sensitive to downtime and equipment disruption.
In 2018, malware was used in 56 percent of attacks. Such popularity is caused by the fact that malicious software is becoming more and more available each year, which reduces the barrier to entry for cybercriminals. Attackers mostly used spyware and remote administration malware to collect sensitive information or gain a foothold on systems during targeted attacks.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is because of hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
Zingbox, provider of healthcare Internet of Things (IoT) analytics platform, announced new research demonstrating that hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights. These insights are then used to refine the attacks, increasing the chance of successful hack.
“Hackers are finding new and creative ways to target connected medical devices. We have to be in front of these trends and vulnerabilities before they can cause real harm,” said Xu Zou, Zingbox CEO and co-founder. “We make it our mission to assist and collaborate with device manufacturers to ensure the security and uninterrupted service of connected medical devices.”
Information gathering phase of a typical cyberattack is very time intensive phase where hackers learn as much as they can about the target network and devices. By simply monitoring the network traffic for common error messages, hackers can gain valuable insight into the inner workings of a device’s application; the type of web server, framework and versions used; the manufacturer that developed it; the database engine in the back end; the protocols used; and even the line of code that is causing the error. Hackers can also target specific devices to induce error messages. With this information, the information gathering phase is greatly shortened and they can quickly customize their attack to be tailored to the target device.
Zingbox’s research discovered that:
Information shared as part of common error messages can be leveraged by hackers to compromise target connected devices.
Hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings.
Leveraging this information quickens a hacker’s access to a hospital’s network.
“Imagine how much more effective hackers can be if they find out that a device is running on IIS Web Server, using Oracle as backend and even gathering usernames,” said Daniel Regalado, principal security researcher at Zingbox and co-author of Gray Hat Hacking. “That will help them to focus their attack vectors towards the database where PHI data might be stored.”
The research also revealed that the healthcare industry has made great strides in collaborating across providers, vendors and manufacturers: there was rapid response and a willingness to generate patches for their medical devices from three out of seven manufacturers whose devices were included in the study. However, there is still work to be done to bring the urgency of these findings as well as increased collaboration between security vendors and device manufacturers.
Guest post by Donald Voltz,MD, Aultman Hospital, Department of Anesthesiology, Medical Director of the Main Operating Room, Assistant Professor of Anesthesiology, Case Western Reserve University and Northeast Ohio Medical University.
Donald Voltz, MD
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in. While this is just a movie you can turn off, the real horror of patient data theft can follow you.
(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).
Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.
Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.
The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.
To thwart accidental and purposeful hackers, organizations should implement physical security procedures to secure network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas. Yes, humans are the weakest link.
Growing Nightmare
Medical data theft is a growing national nightmare. IDC’s Health Insights group predicts that one in three healthcare recipients will be the victim of a medical data breach in 2016. Other surveys found that in the last two years, 89 percent of healthcare organizations reported at least one data breach, with 79 percent reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.
At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.
Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.
Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.
Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.
By Daniel Trivellato, vice president of healthcare and cyber risk solutions, Forescout.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
Summarizing the outcomes of 2018, the experts noted an increase in the share of targeted attacks that grew throughout the year reaching 62 percent in Q4. By and large, targeted attacks became the favorite method of attackers (55 percent) in 2018, unlike the previous year.