While doctors have sworn to do no harm, the same doesn’t seem to be true for the equipment or the networks they use to administer care. According to a new report from the SANS research organization and Norse, medical providers are already succumbing to cyberattacks in droves. The study found 49,917 unique malicious events from the healthcare providers they profiled, and don’t worry: it gets worse. The report found that many networked medical devices were easily taken over by hackers. These included radiology imaging software, video conference systems, digital video systems, call contact software, and security systems. Even devices that were meant to help shield organizations, like VPNs, firewalls, and routers, were being hijacked.
According to the article in PC Magazine, the report found that medical devices and software are becoming a favorite target of hackers for launching other attacks — either on the same network or on other targets. From the report: “Once compromised, these networks are not only vulnerable to breaches, but also available to be used for attacks such as phishing, DDoS and fraudulent activities launched against other networks and victims.” “One of the biggest reasons we see the infrastructure for hospitals being used as launching platforms for other cybercrime and hacks is because a lot of these devices are dumb devices,” said Norse CTO and co-founder Tommy Stiansen. “They’re not desktops or servers, but they’re all running Linux.” We’ve already seen how some devices, particularly networked video cameras can be used to gain a foothold on a victim’s network and cause all kinds of mayhem.
Despite their capabilities, medical equipment and surveillance cameras aren’t considered part of the security architecture, explained CEO and co-founder Sam Glines. “A document that was discovered by our crawlers for a major hospital had the same user name and password for everything,” he said. This included life-saving devices like dialysis equipment. Remember that the Internet is still on track to kill you by 2014.
As if to demonstrate the scope of the problem, Stiansen mentioned that they first became interested in this project when they observed credit card information being transmitted by medical devices. “If someone leaves the door open, hackers will come,” said Stiansen. In addition to unsecured devices and software used by hospitals is an even bigger problem: stolen medical data. Healthcare providers at all levels have extremely valuable personal data at their disposal, and it’s that information that attackers are desperate to get their hands on.The reason, explained Stiansen, is simple: “You can conduct more fraud with it then you could with credit card data.” An attacker can quickly monetize medical data, he explained, through avenues like Medicare or prescription fraud. In addition to medical information, the intellectual property and billing information stored by healthcare providers is also at risk.
Beyond the obvious impact on individuals caused by having your data stolen, the report also points out that this fraud drives the price of healthcare even higher. The report cites a Ponemon repot from last year which estimated the cost of insruance and medical fraud at around $12 billion. Obviously, health care organizations need to get serious about securing their networks and devices, even at a basic level. “Consider everything with an IP address to be a critical endpoint,” said Glines, who went on to say that stronger password protocols for everything from medical devices to firewalls would improve the situation.
New legislation might also encourage better behavior. Glines pointed to European Union laws that fine companies a percentage of their revenue when a breach occurs or a loss of data takes place. Though HIPAA is intended to provide protection, Norse maintined that compliance simply did not equate security. But there’s a role for regular people, too. Stiansen encouraged patients to question their healthcare provider about cybersecurity. Glines agreed saying, “consumers are the ones who have the most to lose. They have the right to ask how their records are maintained and what sort of security procedures are in place.”