How safe is your wound clinic from cyberattacks? This author offers practical advice to keep your operation running smoothly in the face of threats such as ransomware, hacking, and medjacking.
Criminal attacks are the leading cause of data breaches in health care, and health care organizations report 50% of their breaches come from cyberattacks.1 Ninety percent of these organizations had a data breach in the past two years, and nearly half had more than five data breaches in the same time period.
The average cost of data breaches for health care organizations was reported at more than $2.2 million, and for their business associates, this number was more than $1 million.1 The top cyberthreats facing these organizations are ransomware, malware, and denial-of-service (DOS) attacks.
What is Cybersecurity?
Cybersecurity aims to protect electronic versions of sensitive information, including:2
• any data subject to legal or regulatory oversight such as medical or financial records;
• personally identifiable information that isolates individuals in such a way that it leads to identity theft or fraud;
• data that, if accessed, could lead to financial or reputational loss;
• information that leads to unauthorized access to accounts, such as usernames, passwords, and account numbers;
• data that violates confidentiality agreements;
• user or system credentials that could provide unauthorized users access to sensitive systems or resources; and
• any data protected by an organization’s policy.
The importance of implementing a robust cybersecurity program is to prevent some of the cumbersome consequences that can occur:
• fines and penalties (federal and potentially state);
• civil liabilities for breach of privacy; and
• damage to the provider/patient relationship.
To your patients, the resulting identity theft can include:3
• getting a bill for medical services they didn’t receive;
• being contacted by a debt collector about medical debt they don’t owe;
• finding medical collection notices on their credit report that they don’t recognize;
• finding erroneous listings of office visits or treatments on their explanation of benefits;
• damage to the provider–patient relationship and damage to the bottom line from patient turnover, drops in patient acquisition, brand damage, and time lost;
• being told by their health plan that they have reached their limit on benefits; or
• being denied insurance because their medical records show a condition they don’t have.4,5
Historically, when we think of cyberbreaches, we think of incidents such as Adult and Pediatric Dermatology, P.C. of Concord, MA, paying $150,000 for a HIPAA breach stemming from a stolen flash drive.6 Another memorable incident involves Memorial Healthcare System, which paid the U.S. Department of Health and Human Services $5.5 million to settle when a former employee of an affiliated physician’s office used login credentials to access more than 115,000 personal health information records on a daily basis without detection.7 These credentials were still active three years after the former employee had left the organization.
The New Wave of Cybercrime: System Hacking
More recently, we have begun to think about cybercrime as the remote hacking of our information technology (IT) systems. A recent cybersecurity survey found that 64% of health care organizations have experienced an external cyberattack during the last 12 months.8 These attacks take several forms.
Ransomware attacks. Attackers held data belonging to the Hollywood Presbyterian Medical Center in Los Angeles for ransom using a piece of ransomware.9 The hospital remained offline for over a week until hospital officials caved to the demands and paid the equivalent of $17,000 in bitcoin.
Unsecured Internet of Things (IoT) devices. A dental practice in Toronto learned that their practice activities were being live-streamed in Russia on a site called “insecam.org,” unbeknownst to staff and patients alike.10 The practice had installed a wireless security camera system after a break-in and left the default password intact. This enabled hackers in Russia to access the live feed and stream everything that occurred in the office, which included patient and staff activities as well as clear access to private information on computer screens.
Medjacking. There is a new and freighting kind of cybercrime known as “medjacking.” This is where medical devices, referred to as the Internet of Medical Things (IoMT), are being directly hacked. This occurs when vulnerabilities built directly into devices allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially leading to severe patient harm. For example, computer security expert Jay Radcliffe, who has diabetes, successfully hacked his own insulin pump and discovered massive loopholes for cybercriminals.11 As one article notes, “By manipulating insulin pumps remotely, criminals could kill or seriously injure targets; their crime, meanwhile, would likely be able to escape detection from law enforcement unaware that insulin pumps could be hacked.”
Hackers are infecting a wide array of medical devices with malware and using them as pivot points to launch cyberattacks on health care IT systems. Consider that these medjackers target medical devices that have a lack of cyber-protective measures. There are estimates that there will be 25 billion connected smart devices in use in the next five years (there are almost 5 billion already).12 A significant portion of these will be medical devices, from pacemakers to drug pumps, mobile medical workstations, in-home monitors, and personal fitness devices. These medical devices could someday be the target of hackers. The reality is that these devices are already being hacked, a trend that is alarming hospitals and other health care organizations. These newest implantable medical devices incorporate more complex communication and networking functions (telemetry).
It is true that hackers could tamper with medical devices to harm individuals, but thus far these devices are being hacked to unlock portals into larger medical systems and steal protected health information.
In June 2015, security company TrapX released reports showing that the majority of health care organizations are vulnerable to medical device hijacking.13,14 The report also detailed incidents of medjacking in three hospitals. In one, a blood gas analyzer, infected with two different types of malware, was used to steal passwords to other hospital systems, and confidential data was being sent (exfiltrated, in hacker parlance) to computers in Eastern Europe. In another hospital, the radiology department’s image storage system was used to gain entry to the main network and send sensitive data to a location in China. In a third hospital, hackers had installed a backdoor, a piece of code that allows for easier hacking, in a drug pump to gain access to the hospital network.
In 2015, the Food and Drug Administration (FDA) issued a safety warning against infusion pumps used in hospitals.15 According to the FDA, a version of a pump used to administer IV fluids was found to be vulnerable to cyberattacks and could potentially risk lives. Researchers identified several critical vulnerabilities in Hospira LifeCare patient-controlled analgesia infusion systems, which can be exploited by a remote attacker to take complete control of affected devices.
Security researcher Billy Rios found vulnerabilities that “would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient.”12 Vulnerabilities could allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially leading to severe patient harm. They contain configurable, embedded computer systems that can be vulnerable to intrusions into cybersecurity. In 2017, the FDA found potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter, which could allow unauthorized users remote access to a radiofrequency-enabled implanted cardiac device.16
Additionally, other kinds of devices are under attack. These include diagnostic equipment (positron emission technology scanners, computed tomography scanners, magnetic resonance imaging machines, etc.), therapeutic equipment (infusion pumps, medical lasers, and LASIK surgical machines), and life support equipment (heart/lung machines, medical ventilators, extracorporeal membrane oxygenation machines, and dialysis machines). The Department of Veterans Affairs has tracked 173 medical devices that have been infected with malware within their own system. Those reported by TrapX Security include hospital laboratory blood gas analyses, hospital radiology, picture archive and communications (PAC) systems, and hospital radiology X-ray system and archives.
Why Is Our Technology So Vulnerable?
Many medical devices run on Microsoft Windows or Windows variants. Windows is an operating system that is especially susceptible to security issues, so much so that Microsoft has a regularly scheduled day—“Patch Tuesday,” the second Tuesday of every month—dedicated to releasing updates to plug vulnerabilities.
Infection with computer viruses is a common occurrence in the country, both in households and hospitals. Kevin Fu, a computer scientist and expert on medical device security, was quoted in an MIT Technology Review article in which he said the problem is “mind-boggling.”17 Fu also stated that malware is “rampant” in hospitals thanks to devices using unpatched operating systems. The story noted that Boston’s Beth Israel Deaconess Medical Center had nearly 700 pieces of equipment “running on older Windows operating systems that manufacturers will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews.”
The problem also includes vulnerabilities designed into IOT devices. Security company Trustwave discovered a backdoor in devices made by DblTek, a Chinese tech firm that specializes in voice over internet provider (VoIP) products.18 The backdoor can allow an attacker to remotely open a shell with root privileges on the target device.
“What’s perhaps even more worrying is that when Trustwave contacted DblTek regarding the backdoor last autumn—multiple times—patched firmware was eventually released at the end of December,” notes TechRadar.18 “However, rather than removing the flaw, the vendor simply made it more difficult to access and exploit. And further correspondence with the Chinese company has apparently fallen on deaf ears.”
On nearly every device DbITek makes, there is a firmware hole. In fact, Trustwave discovered hundreds of these devices on the net and many other brands utilize the same firmware; they are equally vulnerable to exploitation.18,19 A second Chinese firm was hiding a backdoor in the firmware of Android devices.19 Security researchers discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise over-the-air update operations and execute commands on the target’s phone with root privileges. Mobile experts from Anubis Networks discovered the problem recently. This is the second issue of its kind that came to light recently after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Shanghai Adups Technology Company, a Chinese company.20 This time around, the problem affected Android firmware created by another Chinese company named RagenetkGroup.
Finally, another firm was found to be designing backdoors into their firmware. Hidden backdoors have been found in certain Lenovo network switches.21 Security researcher Dymtro Oleksiuk says he has uncovered a vulnerability in Lenovo machines that could let hackers circumvent the basic security protocols of Windows.22
Beefing Up Your Wound Clinic’s Security
How do you protect yourself in this new age of medjacking? The proven countermeasure against the medjacking of IoMT and other network-connected devices is to deploy a purpose-built security layer in order to:
• Identify every single device on the network and assign it an identity profile. This creates an up-to-date and comprehensive database or inventory of 100% of your biomedical devices and equipment.
• Onboard every medical device securely using critical factors in its profile. This delivers a much more granular and secure method for media access control authentication to establish and enforce access privileges and/or restrictions.
• Monitor the network to detect any device exhibiting uncharacteristic behavior. Endpoint profiling provides continuous monitoring, which is essential to detect and thwart an attack in progress.
• Enforce access restrictions as needed to thwart an attempted breach. Endpoint and IoMT connection security systems provide a choice of manual and automatic enforcement options to maximize medical device security.
Cybercrime has evolved from unsophisticated things, such as criminals taking advantage of unencrypted storage media and unprotected networks, to more complex and technically proficient attacks. As the IoMT continues to proliferate, the recognition of these new vulnerabilities must be part of your security framework, requiring an ever-higher level of diligence, care, and technical expertise. Recognize that not all device security is under your control; more effort must go into creating an environment where your medical devices are isolated inside a secure network, and protect the network with an internal firewall that will only allow access to specific services and IP addresses. If possible and practical, totally isolate medical devices inside a network that is not connected to the external internet.
Consider managing access to your medical devices, especially through USB ports and Bluetooth access. Avoid allowing any medical device to provide USB ports for staff use without additional protections.
Consider implementing a strategy to review and remediate existing medical devices. Many of these devices may be infected and creating risk for your practice and your patients. Implement a strategy to maintain the most current software and hardware fixes provided by the manufacturer of your medical device. Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cybersecurity processes and protections. Conduct quarterly reviews with all your medical device manufacturers.
It is important to have a strategy to retire any IoMT device at its end of life. Many medical devices have been in service for years. Retire these devices as soon as possible if they exhibit older architectures and have no viable strategy for dealing with new methods of attack as described as a medjack. Then acquire new devices with the necessary protections from manufacturers that can comply with your requirements.
Finally, implement a strategy to procure medical devices from vendors only after a review with the manufacturer that focuses on the cyber security processes and protections. Conduct quarterly reviews with all your medical device manufacturers.
In this new age of cybercrime, following these suggestions will give you the greatest level of success in staying ahead of the attacking cyber criminals.
Roger Shindell is chief executive officer of Carosh. He is also chairman of the HIMSS Risk Assessment Work Group and is a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in health care and has served as an advisor and principal in health care, technology, and service companies. He may be reached at firstname.lastname@example.org.
1. Ponemon Institute. Annual Benchmark Study on Privacy & Security of Healthcare Data. May 2018.
2. Photopoulos C. Managing Catastrophic Loss of Sensitive Data: A Guide For IT and Security Professionals. 1st ed. Syngress; 2008.
3. TrendLabs. Follow the data: dissecting data breaches and debunking myths. Trend micro analysis of Privacy Rights Clearinghouse, 2005–2015. https://documents.trendmicro.com/assets/wp/wp-follow-the-data.pdf . Published 2015.
4. These final 2 consequences are currently not relevant but may be resurrected.
5. Federal Trade Commission. Medical identity theft: FAQs for health care providers and health plans. https://www.ftc.gov/tips-advice/business-center/guidance/medical-identity-theft-faqs-health-care-providers-health-plans .
6. U.S. Department of Health & Human Services. HHS settles with health plan in photocopier breach case. Updated June 7, 2017. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/apderm/index.html .
7. U.S. Department of Health & Human Services. $5.5 million HIPAA settlement shines light on the importance of audit controls. February 16, 2017. https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html.
8. Healthcare Information and Management Systems Society. 2015 HIMSS cybersecurity survey. Executive summary. June 30, 2015. http://s3.amazonaws.com/rdcms-himss/files/production/public/FileDownloads/2015-cybersecurity-executive-summary.pdf .
9. Winton R. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. February 18, 2016. https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html .
10. TrapX Security. Anatomy of an attack – the internet of things. https://trapx.com/the-internet-of-things-iot/ .
11. Ungerleider N. Medical cybercrime: the next frontier. Fast Company. August 15, 2012. https://www.fastcompany.com/3000470/medical-cybercrime-next-frontier .
12. Zetter K. Hacker can send fatal dose to hospital drug pumps. Wired. June 8, 2015. https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/ .
13. TrapX Security. Anatomy of an attack—medical device hijack (medjack). May 7, 2015. https://trapx.com/trapx-labs-report-anatomy-of-attack-medical-device-hijack-medjack/ .
4. TrapX Security. Anatomy of an attack: Hospitals under siege. https://www.scmagazine.com/wp-content/uploads/sites/2/2018/07/trapx_medjack2_60312.pdf .
15. McGee MK. FDA: Discontinue use of flawd infusion pumps. Careers Info Security. https://www.careersinfosecurity.com/fda-discontinue-use-flawed-infusion-pumps-a-8449 . August 3, 2015.
16. U.S. Food and Drug Administration. Cybersecurity vulnerabilities identified in St. Jude Medical’s implantable cardiac devices and Merlin@home Transmitter: FDA safety communication. January 9, 2017. Updated October 18, 2017. https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-identified-st-jude-medicals-implantable-cardiac-devices-and-merlinhome .
17. Talbot D. Computer viruses are “rampant” on medical devices in hospitals. MIT Technology Review. October 17, 2012. https://www.technologyreview.com/2012/10/17/183245/computer-viruses-are-rampant-on-medical-devices-in-hospitals/ .
18. Allan D. Dangerous backdoor exploit found on popular IoT devices. TechRadar. March 2, 2017. https://www.techradar.com/news/dangerous-backdoor-exploit-found-on-popular-iot-devices
19. Farrell N. Chinese Internet of things gear has a backdoor. Fudzilla. March 6, 2017. https://www.fudzilla.com/news/43034-chinese-internet-of-things-gear-has-a-backdoor .
20. Apuzzo M, Schmidt MS. Secret back door in some U.S. phones sent data back to China, analysts say. New York Times. November 15, 2016. https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html .
21. Systems Support. Backdoor in certain Lenovo switches discovered. Systems Support. January 26, 2018. https://www.systemsupport.com/2018/01/26/backdoor-in-certain-lenovo-switches-discovered/ .
22. Cooper D. Critical security flaw found in Lenovo PCs … again. Engadget. July 4, 2016. https://www.engadget.com/2016-07-04-critical-security-flaw-found-in-lenovo-pcs-again.html .