Health Care Digitalization Brings New Security Challenges

The advantages of digitalization are well documented and understood, especially in health care.  Patients, for example, benefit when their doctors can access critical data by simply plugging a device into a wall jack. That wall jack typically connects to every other connected device in the hospital.  If the hospital is part of an MPLS network then the scale of access and convenience is even greater.

Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond. The problem, however, is that easy access can extend beyond the wall jack to the internet.

Digitalization can expose more critical care processes and controls to the internet and that’s a big problem.

Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices. In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:

In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).

– Dev Kundaliya, WannaCry remains a serious IT security threat worldwide, researchers warn, May 2019

While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

A recent study predicted that by 2020 70% of medical devices will be running on unsupported, insecure operating systems, many of which are tied to patient care(CSO Australia):

Some 38 percent of connected devices related to patient identification and tracking systems, while 32 percent were infusion pumps, 12 percent patient monitors, 5 percent point-of-care testing, and 3 percent medication dispensing systems.

               – David Braue, For breach-weary healthcare CISOs, Internet of Medical Things is yet another headache, May 2019

There are scores of vulnerable medical devices (see Melanie Evans and Peter Loftus Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security):

The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.

The situation is getting worse just as we commemorate the rise of powerful cyber attacks and ransomware:

Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.

Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3^rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.

Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built incrementally over decades and no one ever made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.

Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

So as hospitals converge OT/IT infrastructure new demands, from attack surface, to vector sprawl confront firewalls and segmentation solutions architected for quite different challenges.  See Happy Birthday WannaCry…

Comments are closed.