Ransomware attacks, while a significant danger to both companies and individuals, can also constitute a major threat to medical personnel and their patients. This was found first hand by Paul Pugsley, an emergency medicine resident Maricopa Medical Center in Phoenix, Arizona.
Pugsley was attempting to administer a CT scan to his patient who had suffered a stroke; the scan would have determined whether the stroke was the result of a clot or a bleed, vital information that would determine further treatment: a supposition in this matter can result in the death of the patient. However, when Pugsley examined a screen in the corner of the room, he did not find any results of his test, but was instead confronted with a demand for a Bitcoin payment.
Fortunately for the medical student, the ransomware attack was part of an elaborate simulation designed to prepare the next generation of doctors for the very real possibility of cyber attacks targeting medical installations (in addition, the patient was, in fact, a medical test dummy). Yet the necessity for this training is in itself evidence in support of the findings of Cylane, a cyber security company which found that the healthcare industry is subject to the majority of all ransomware hacks. This is particularly alarming when one considers that the average hospital room has between fifteen and twenty connected devices in operation at any time.
“From a threat perspective, healthcare is often seen as a large, soft target,” said William Peteroy, security CTO at Gigamon. “There are increasing interdependencies between technology and providing quality care, which means that we’re seeing more technology in healthcare than ever before, but we don’t see a strong and consistent focus on information security to go along with that.”
Stephen Cox, chief security architect at SecureAuth, agrees. “The healthcare industry houses some of the most personal and sensitive data one can imagine,” he told Business News Daily. “Having this data be stolen by attackers and leaked to the dark web can be an absolute catastrophe for phishing campaigns. Having a device taken offline due to an incident could delay a patient from receiving a vital treatment.”
The vulnerability of the medical sector came to prominence in 2017 after a massive cyber attack was unleashed against the UK’s National Health Service, which caused catastrophic disruption and forced hospital staff to revert to using pens, paper and their personal phones to continue daily operations. Perhaps most alarming of all was the fact that the ransomware hack was carried out using WannaCry, which a cyber gang known as the Shadow Brokers claimed to have stolen directly from the United States’ National Security Agency, one of the principle intelligence bodies of the US, alongside the CIA and FBI. The group was apparently able to directly hack the NSA by using a tool known as Eternal Blue – proof, if more were needed, that the black market has access to government/military technologies, and the civil sector’s defensive capabilities are more vital than ever.
The following directives are recommended for medical installations:
- Identify and monitor all connected medical devices.
Every single connected medical device should be monitored in real time, allowing security teams to constantly probe for vulnerabilities or anomalous behavior that could signal the device has been compromised. In an environment with hundreds or thousands of connected devices, employing some type of intelligent cybersecurity solution is the only way to effectively manage the network.
“Tracking devices for visibility manually is indeed difficult, especially with a small security team,” says Chris Morales, head of security analytics at Vectra. “When you factor in the time it takes a lean security team to discover a data breach that comprises unknown connected devices, it is apparent the security team needs some level of augmentation of capabilities through intelligent technology.”
- Segment connected medical devices.
Properly segmenting connected medical devices based on vulnerability and risk profile can reduce hackers’ penetration into your network in the event a cyber attack does occur.
“Hospitals can mitigate risks by creating an isolated network for connected devices, which is simple and can be done with VLANs and firewall technology that’s been around for decades,” Peteroy said.
- Ensure software is regularly updated.
Regular software updates are critical to warding off what would otherwise be easily thwarted cyber attacks. The WannaCry attack exploited a vulnerability that was patched in a Windows update released months prior. As a result, the only organizations that were affected by WannaCry were those that had failed to update their software. Every connected medical device should be subject to regular software patching and firmware updates, prioritized by individual risk profile. This makes the device less ripe for exploitation.
- Establish a cybersecurity framework and incident response plan.
Finally, while software solutions and regular updates are a great way to reduce the chances of a cyberattack, a smart security team knows it is a matter of time before their defenses are probed by a malicious actor. It’s crucial for a comprehensive cybersecurity plan to include an incident response procedure that can be deployed at a moment’s notice and includes all the major stakeholders across all departments within the organization.
Hospitals are vulnerable targets because of the value of their information and the sheer scale of their networks. However, leveraging connected medical devices and the many benefits they offer doesn’t mean hospitals must fall victim to hackers and their cyber attacks. By implementing an intelligent cyber security solution that can identify and monitor all connected devices in real time, properly segmenting those devices, running regular software updates, and preparing a comprehensive incident response plan, security teams can be as prepared as possible to face ever-evolving cyber security threats.