In recent months, concern has been growing over the lack of medical equipment cybersecurity protections in place at hospitals and medical centers. Healthcare providers are being targeted by cybercriminals for the confidential data they store on patients. Medical devices, and their associated computer hardware, could potentially be targeted by cybercriminals. Medical device security is often overlooked by health IT professionals, and the manufacturers of the devices often fail to make their equipment secure.
Healthcare providers store Social Security numbers, health insurance data, financial information, and the personal information of patients. These data have a high value on the black market as they can be used by criminals to commit identity theft and a multitude of fraud.
Cyberattacks on hospitals and health insurers are increasing, and while cybersecurity protections as a whole are improving, the industry still lags behind other industry sectors when it comes to implementing robust cybersecurity protections. Numerous security vulnerabilities are often allowed to exist, making it relatively easy for hackers to take advantage.
Medical equipment cybersecurity is particularly lax. The devices may not provide easy access to the types of data sought by identity thieves in some cases, but they are networked. If access is gained, attacks on other parts of a healthcare network could take place.
If hackers are able to gain access to a medical device a considerable amount of harm could be caused. A malicious hacker could alter or delete data, crash the device, or steal data stored on the device or the computer connected to it. If settings can be altered patients could be seriously harmed. Doses of medication could be altered or medical diagnoses or test results changed, with disastrous consequences for the patient.
Expensive equipment could be sabotaged or the devices could be locked with ransomware. The ransomware infection of Hollywood Presbyterian Medical Center this month shows that the threat of malware is very real. In fact, attacks on hospitals can be very lucrative for hackers. The hospital recently paid $17,000 for security keys to unlock its EHR system after a ransomware infection took it out of action.
How Bad Are Medical Equipment Cybersecurity Protections?
So how bad are medical equipment cybersecurity protections? Recently, Sergey Lozhkin of Kaspersky Lab decided to find out. He recently announced the results of his attempts to hack medical devices at the 2016 Security Analyst Summit (SAS 2016) in Tenerife.
Lozhkin set out to hack a hospital and succeeded in doing just that by exploiting a lack of medical device cybersecurity protections at a hospital. The hack started with a search using the Shodan search engine. Lozhkin discovered a number of hospital devices and contacted the owner. Along with his friend, he decided to conduct a penetration test to see just how easy it was to gain access to the devices. The senior managers of the hospital were aware of the test and secured real data to prevent any unauthorized disclosure or data loss as a result of the test.
The first attempt at hacking the medical devices failed. The hospital’s systems administrator had done a good job of securing systems from external attack. However, the second attempt at hacking was successful. Lozhkin decided that instead of attacking from home, he would travel to the hospital and try to attack from within. However, physical access to the hospital was not necessary. He was able to hack the hospital from his car, since he could park outside and gain access to the hospital’s local Wi-Fi network.
Once he hacked the network key he was able to gain access to a tomographic scanner. By exploiting a vulnerability in an application he gained access to the file system of the device and was able to view (fake) patient data. The real data had been secured prior to the test. In this case, the hack was possible because the hospital’s systems administrator had made a fundamental mistake, having connected a medical device to the hospital’s public WiFi network.
Forget Medical Equipment Cybersecurity Protections at your Peril
If medical equipment cybersecurity protections are insufficient, it may be hacktivists or data thieves that gain access to data rather than pen testers. Hospitals must ensure that medical equipment cybersecurity protections are put in place, but security must also be tested to ensure cybersecurity defenses actually prevent access to medical devices and the sensitive data they contain.
Better medical equipment cybersecurity protections must also be incorporated into the design of medical devices by the manufacturers to make sure medical equipment is harder to hack.
