Recent research was published by the Washington Post about malware that was created to disrupt medical imaging equipment and networks. This is yet another wake-up call for the healthcare industry that been underinvesting in security for the last decade. Quite simply, there is a misconception that hospitals’ internal networks are a safe harbor from external cyberattacks. This is despite the fact that the real-world data has repeatedly shown that healthcare is one of the top industries under attack for the last five years. While previous attacks mainly focused on stealing personal health information, this research demonstrates how serious or even deadly an attack to healthcare can be.
There are a few reasons why cyberattacks in healthcare today can have devastating consequences.
Medical device vulnerabilities
Many medical devices inside hospitals are running decade old operating systems and applications that have many well-known vulnerabilities. In fact, it may be a surprise to many that the vast majority of imaging systems run on Windows OS. Further, recent Zingbox research shows that today, 1 out of 4 imaging systems run on OSes that are no longer supported. By next year, 85% of imaging systems are expected to run on End-of-Lifed OSes as Microsoft terminates support for some of their popular Windows OSes.
To make matters worse, most medical device manufacturers lack strong in-house cybersecurity expertise. While their expertise lies in device reliability and accuracy, which continue to be top requirements for connected medical devices, the lack of cybersecurity expertise puts the device reliability and accuracy into question. The lack of cyber-specific expertise also limits manufacturers’ ability to “bake in” cybersecurity measures on the device.
One might think that patches and upgrades are the answer. Unfortunately, no. FDA certification and other requirements pose significant hurdles for manufacturers to apply patches or upgrades to devices already deployed at hospitals.
Tools designed for IoT
Many hospitals lack the tools to monitor life-critical devices with 100% assurance of uninterrupted service and care. Such tools must be completely transparent to the device and in no way interfere or hamper its operation. Yet, organizations continue to rely on traditional IT security solutions for IoT. Such network security tools like firewalls and antiviruses result in security gaps that hackers can easily exploit.
Vulnerabilities that stem from inadequate IoT security tools:
Most network security solutions often cannot discern a PC from a CT scanner, whereas such a distinction is critical for cybersecurity.
CT scanner’s communication is almost never encrypted, device access doesn’t require basic authentication, and given the mobility of typical CT scanners, the devices can be connected to any internal network, according to Zingbox’s research findings.
Connecting a device to any network breaks the basic micro-segmentation policies IT teams have been encouraged to deploy for cybersecurity.
“Consumer pressure is driving a disruptive technology-enabled shift in healthcare today,” said Hal Wolf, HIMSS president and CEO, in a statement about the report. “Digital health technologies are beginning to deliver on their promise to help providers understand individual consumer preferences and provide personalized care that effectively coordinates care throughout the broader health ecosystem. By fully realizing the potential of information and technology, we can create an ever-increasingly informed and empowered global community of innovators, care providers, and patients.”
Specifically, the HIMSS report addresses four key trends: digital health implications and applications, consumer impact, financial and demographic challenges, and issues of data governance and policy. “Digital health tools have been riding the peak of the hype cycle for several years now,” the report points out, “but 2019 will be the year that digital health will need to answer for the way technology will increase access to care and narrow gaps in care and coverage.”
Given these areas of focus, it’s a good bet that the upcoming HIMSS19 conference and trade show will heavily promote these ideals. Even with that, there are likely going to be many other takeaways from healthcare technology’s biggest annual event so we asked some industry insiders, experts and thought leaders what they hope become the main takeaways from the event once it has wrapped. Here’s what they said.
Zingbox, provider of healthcare Internet of Things (IoT) analytics platform, announced new research demonstrating that hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights. These insights are then used to refine the attacks, increasing the chance of successful hack.
“Hackers are finding new and creative ways to target connected medical devices. We have to be in front of these trends and vulnerabilities before they can cause real harm,” said Xu Zou, Zingbox CEO and co-founder. “We make it our mission to assist and collaborate with device manufacturers to ensure the security and uninterrupted service of connected medical devices.”
Information gathering phase of a typical cyberattack is very time intensive phase where hackers learn as much as they can about the target network and devices. By simply monitoring the network traffic for common error messages, hackers can gain valuable insight into the inner workings of a device’s application; the type of web server, framework and versions used; the manufacturer that developed it; the database engine in the back end; the protocols used; and even the line of code that is causing the error. Hackers can also target specific devices to induce error messages. With this information, the information gathering phase is greatly shortened and they can quickly customize their attack to be tailored to the target device.
Zingbox’s research discovered that:
Information shared as part of common error messages can be leveraged by hackers to compromise target connected devices.
Hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings.
Leveraging this information quickens a hacker’s access to a hospital’s network.
“Imagine how much more effective hackers can be if they find out that a device is running on IIS Web Server, using Oracle as backend and even gathering usernames,” said Daniel Regalado, principal security researcher at Zingbox and co-author of Gray Hat Hacking. “That will help them to focus their attack vectors towards the database where PHI data might be stored.”
The research also revealed that the healthcare industry has made great strides in collaborating across providers, vendors and manufacturers: there was rapid response and a willingness to generate patches for their medical devices from three out of seven manufacturers whose devices were included in the study. However, there is still work to be done to bring the urgency of these findings as well as increased collaboration between security vendors and device manufacturers.