02 July 2018

Cyber Security in Healthcare

It is well documented and reported that the Internet of Things represents a brewing storm from a cyber security perspective. The connectivity of devices is clearly beneficial in many ways but in the same way as technology advances in the past, security was not front of mind when designing devices.

This dynamic is particularly alarming in the healthcare sector where the use of connected devices has grown considerably in recent years and a recent McAfee report stated that attacks on hospitals rose an alarming 211 percent in 2017. The connectivity of devices from infusion pumps and X-ray scanners to blood gas analysers, medical imaging devices, medical lasers and life support equipment has greatly expanded the attack surface in the healthcare sector.

Given the criticality of these devices, the results of security breaches could be catastrophic and the devices present an enticing way for attackers to gain a foothold onto the network of organisations in the healthcare sector that have deployed these technologies. Health records remain a lucrative data set for cyber criminals due to a higher value with $20 to $40 for health insurance credentials being paid compared to $1 to $2 for credit card numbers.

There are numerous challenges with securing these devices and technologies particularly due to the fact they are often running outdated software but also because it is very difficult to monitor them for signs of attack or compromise. This is another factor in why they are an attractive target to attackers when they present an easy route into the wider network and to gain access to sensitive data.

On the positive side, IRM has seen an increase in requests from manufacturers of medical devices, to actively test for security vulnerabilities. In the course of our testing we have discovered that devices are open to attack and there is demonstrable evidence that security was not built into the design and build. In a recent engagement on an insulin pump, it was relatively trivial to gain connectivity to the device and control the doses of insulin being delivered. Clearly this is a major concern as the vulnerability could lead to serious harm or even death.

The manufacturers of medical devices need to ensure that security is architected into their products from the outset. Additionally, aligning with GDPR, a ‘privacy by design’ approach needs to be adopted.  As well as the responsibility on the manufacturers to secure their products, customers must undertake appropriate due diligence to assess the security of the products they are purchasing through independent review and active testing for security flaws. Without this, medical devices and in turn the healthcare industry are susceptible to a large number of security issues including:

  • Attacks aimed at medical equipment with aim of extortion – malware, ransomware like ‘wannacry’ etc
  • Targeted attacks with the aim of gaining access to patient records and health data
  • Focused attacks on data transmitted by wearables to be compromised
  • Denial of service attacks again with the aim of extortion.

So in the overall cyber ‘arms race’ there needs to be significant improvement in securing medical equipment connected to the network and indeed everything else that encompasses the Internet of Things. Manufacturers need to up their game on security by design and consumers of these devices need to undertake diligence around security when purchasing their products.

Where devices are already deployed:

Know what’s connected – you can’t secure what you don’t know exists
Use trusted solutions – actively evaluate product security. Perform security testing on devices or seek evidence from manufacturers that this has happened
Keep devices updated – in the same way as day to day software and infrastructure, ensure the latest versions are deployed
Continuously monitor and manage – proactively look for evidence of security compromise across devices

The evidence is out there that Healthcare is a key sector for cyber criminals with growing evidence of security breaches and without raising the bar for attackers it will continue to be an attractive hunting ground.

 

If you have any concerns you want to discuss, feel free to contact us.