Kristina Grifantini, MS
Writer & Editor, Southern CA
The Healthcare Industry is Seeing an Increase in All Kinds of Cyber-Attacks
It could be as simple as a hospital worker downloading an app on a personal cell phone during a lunch break. That phone—or the hundreds of other unsecured devices in a hospital—can be an entry point for hackers to wriggle their way into the hospital’s network, enabling them to encrypt data like patient records. This encryption holds the entire infrastructure of the hospital hostage. Only the hackers hold the decryption key and will share it—for a price.
Ransomware and other cyber-attacks on health centers have been in headlines lately due to the potentially devastating impact they can have on services and the seemingly rapid frequency in attacks. In 2016, cyber-attacks affected Hollywood Presbyterian Medical Center, MedStar Health, which operates nearly a dozen hospitals in the DC area, Kentuckybased Methodist Hospital, Ottawa Hospital, Prime Healthcare Services Inc.’s Chino Valley Medical Center and Desert Valley Hospital of Victorville and many others.
Ransomware is just the latest in cyber-attacks on healthcare systems. Hospitals and medical facilities face additional threats that all industries have to contend with: phishing, malware, theft of personal data records and other malfunctions of equipment or networks.
As with any industry, better training of the IT team and proper antiviral software installation can go a long way toward ensuring cyber-safety. However, healthcare settings have seen more attacks than other industries in recent times, so much so that the Department of Homeland Security Science and Technology Directorate just awarded a consortium $1.8 million to develop technology to defend medical devices from cyber-attacks.
Holes in the Machine
Why are hospitals so susceptible to cyber-attack? One major reason: the industry’s lack of spending on security— in part because of the focus on HIPAA compliance and patient privacy—has caused cyber defenses to lag. Additionally, the healthcare setting has distinct features that make it more challenging to secure a system than, say, a banking or communications setting. In particular, healthcare often needs to err on the side of being “open” to ensure that barriers to data and information are low, as patient safety is on the line.
“Healthcare has traditionally been reluctant to add too many security controls into their systems because of the concern that they may cause problems on their own,” says Axel Wirth, distinguished technical architect of the security software company Symantec. “Healthcare is traditionally an open industry where easy and fast access to information can be a matter of life or death.”
One example of a security measure interfering with patient delivery is the Merge Hemo programmable diagnostic computer, used for cardiac procedures. According to the FDA’s adverse event report, in the middle of a heart catheterization procedure, the device went blank for about five minutes and had to be rebooted. It turns out anti-malware software was performing its hourly scan. While the procedure was successful, the FDA report acknowledges that there “was a potential for a delay in care that results in harm to the patient.” The device was misconfigured and should have never scanned during the procedure, according to the manufacturer. However, the incident illustrates why healthcare professionals have been reluctant to add more security features.
“As with any highly complex system, the more components the more likely it is that something goes wrong, be it due to a technical failure or users being overwhelmed with complexity,” says Wirth. “Implementing security controls has to be done very carefully not to risk impeding on care delivery.” For example, when a user enters an incorrect password or pin number several times and gets locked out of a system, this is typically a minor inconvenience for most professionals or consumers. But if this were to happen to a doctor during an emergency procedure it could have a grave impact on patient wellness.
“Devices and records have to be accessible to many providers. They have to not hinder care in the event of a failure,” adds Christoph Lehmann, a medical doctor and professor of biomedical informatics and pediatrics at Vanderbilt University. “The fact that so much valuable information is stored in one place makes healthcare settings an attractive target. Also, the large number of workstations and the relative little training for many employees increases the risk.”
The Year of the Ransom
Ransomware in healthcare: The image in Figure 1 shows the “Locky” ransomware running on a medical imaging machine in Virta Labs’ test environment. (Photo credit Virta Labs.)
|David Kotz (right) and Timothy J. Pierson (left) developed “Wanda,” a prototype that lets users easily and securely connect healthcare devices. Photo credit: Eli Burakian, Dartmouth College|
In February 2016, hackers infiltrated and locked down the computer system of Hollywood Presbyterian Medical Center in Los Angeles using Locky ransomware. Despite enlisting help from the FBI, the hospital allegedly had to rely on paper medical records and turn away new patients due to the turmoil. Ransomware, such as Locky, CryptoWall and CryptoLocker, are malware programs where, once it gets into a system through an insecure link or malware attack, can restrict and encrypt data, effectively holding the information ransom until an amount is paid (often through bitcoin, a digital currency that is hard to trace).
The malware was said to affect some of the center’s systems used in the emergency room and to operate testing machines such as CT or MRI machines. After almost two weeks of crippled operations, Hollywood Presbyterian paid a $17,000 ransom because lives were at stake and law enforcement did not have a better solution, according to James Scott, co-founder and senior fellow of the Institute for Critical Infrastructure Technology.
“However, by paying the ransom, the hospital inadvertently signaled to threat actors that healthcare organizations were easy and profitable targets. After Hollywood Presbyterian, ransomware attacks became more prevalent,” says Scott. “All of these attacks are part of a deeper systemic problem: hospitals lack the cyber-hygiene and layered defenses necessary to mitigate the risks posed to them.”
Indeed, Symantec has data confirming the number of breaches and incidents in healthcare are higher than in other industries. “For example, most recently we have seen an uptick in ransomware attacks,” says Wirth. “It’s like the bad guys realized that there’s a lot of money to be made because when hospital computer systems are shut down, their reputation and revenue suffer and it potentially becomes a health crisis, so they will likely pay.” The hackers, he adds, tend to operate in well-organized groups and can originate from anywhere around the globe and attack any healthcare facility, no matter how small or remote. This is especially concerning in light of the flourishing underground market for hacking services, malware, tools and data.
The FBI put out an alert on ransomware in February advising companies not to pay the ransom because it can encourage more criminal activity. “But this puts healthcare providers in a difficult position because a lot of them have not prepared for these attacks by implementing appropriate backup and malware systems,” says healthcare attorney Ashley Thomas of the law firm Hall, Render, Killian, Heath & Lyman.
The FBI’s Internet Crime Complaint Center has reported that ransomware, Cryptowall, has been a source of 992 complaints from April 2014 to June 2015 with total losses at more than $18 million. But, says Thomas, ransomware attacks are likely happening far more than is reported since there isn’t a federal law requiring hospitals to report ransomware attacks or even notify patients. “There is debate in the healthcare legal community now on whether ransomware should be considered a data breach for purposes of notification under HIPAA,” says Thomas.
Hospitals are the new target for these kinds of attacks, but anyone who has a digital system—such as parents with pictures on their computer or teenagers with saved video games—could be viable targets.
Assassination Through Pacemaker
In a 2013 interview on CBS’s 60 Minutes, former U.S. Vice President Dick Cheney reported that doctors disabled his pacemaker’s wireless connection to prevent personal lethal attacks. Such cyber-assassination attempts have never been reported, though they have been depicted in fiction and remain a potential, though unlikely, threat, according to experts. In tests, researchers were able to exploit security weakness in devices to, for example, change the amount of insulin released from a pump or change the output of a pacemaker, bypassing security features and alerts.
But, says Kevin Fu, associate professor of computer science and engineering at the University of Michigan and chief scientist at Virta Labs, the threat of such personalized medical attacks have been blown out of proportion by the media. “Patients shouldn’t be running for the hills—they are still far better off with these devices than without,” he says. “While pacemaker security has room for improvement, the bigger risk is widescale unavailability of patient care because of poor cybersecurity hygiene during manufacturing and delivery of care. We click on links. We share USB drives. We install ransomware. Malice is not a prerequisite to harm. It’s basic hygiene.”
Fu, who runs the Archimedes Center for Medical Device Security, focuses on improving the manufacturing of medical devices to prevent these kinds of individual attacks as well as vulnerabilities that medical devices can introduce into larger hospital systems. The team surveys a vast array of devices, including pacemakers, percolators, infusion pumps and radiological and imaging systems. “We want to have security built in rather than bolted on,” says Fu. “The good news is most of the device companies are beefing up cyber-security programs.” It took 165 years for the medical community to appreciate the importance of hand washing, Fu points out, so it will take some time for the industry to get onboard with cyber “hygiene” as well.
Rather than being used to alter or attack the health of individuals, medical devices are much more likely to be used as the point of entry into a networked system where hackers can install malware. The abundance of networked or wireless devices adds insecure components to a networked system that can be the weak points of entry into a system. These devices include diagnostic equipment (such as MRI machines or CT scanners), X-rays, infusion pumps, surgical devices, ventilators, dialysis machines and more.
In a 2015 report, the cybersecurity defense company TrapX found that a malware program called MEDJACK (for “medical device hijack”) infected hospitals by infiltrating medical devices. In one example, a hospital had robust antiviral software overall, but attackers infected blood gas analyzers and extracted confidential data from the larger computer system. This one example illustrates how hospitals may be crawling with more cybernetic bugs than administrators realize.
“What’s really missing for hospitals is security tools that fit the clinical workflow,” says Fu. “There are a lot of really great tools out there, but they do not sit well in a clinical environment. They tend to cause medical devices to flop over, lock up or reboot. But if you can’t measure your risks and assets it’s hard to protect a system.”
Software called vulnerability scanners look for weaknesses in enterprise programs, but when hospitals run these they often find out they have hundreds of security problems and no solutions to fix them. To combat this, Fu’s company, Virtua Labs, developed a piece of software, currently in beta testing, called Blue Flow, which helps hospitals measure their security risks and discover which devices are susceptible to virtual threats.
Going Once, Going Twice: The High Worth of a Medical Record
In 2015, several high-profile cyberattacks compromised millions of patient records from UCLA Health System and, earlier in the year, health insurance company Anthem. Patient health records, it turns out, are valuable commodities on the black market. “We know from various data sources that the value of healthcare data—which can include names, addresses, physical descriptions and next of kin—is multiple times higher in the underground economy as compared to credit card info because it’s more complete,” says Wirth. “You can cancel a credit card if it’s stolen but you can’t cancel your medical record.”
And it’s not just large hospitals that are at risk. Data can be stolen from smaller practitioners and even people’s homes. David Kotz, Champion International Professor in the department of computer science at Dartmouth College, is working on a device to help smaller medical practices and patients protect their networks.
“My focus is on making wearable devices more secure and helping people understand how their data is collected, stored and accessed,” says Kotz. “There’s a lot of work to be done to make vendors of devices think about cybersecurity and ensure their devices are safe. We also need to make it easier for people to manage devices and do it correctly.”
Kotz developed a wand-shaped security device called Wanda to help with easily improving security. Funded by the National Science Foundation and part of the Trustworthy Health and Wellness (ThaW) consortium, Wanda securely connects nearby devices to a Wi-Fi network.
Users can point the wand within 6-8 inches of a device that’s Wi-Fienabled and the wand transfers network settings—including complex passwords that will hinder cyber-attacks—to a new device. It can also connect two devices, such as a smart treadmill to a Bluetooth television. “The problem today is that people choose guessable or no passwords or leave their networks wide open,” says Kotz. Part of the lack of security is that many users don’t want to take the time and effort to properly configure new devices or—particularly in the cases of limited interfaces—simply don’t know how. “With Wanda, we can let users express intentionality by pointing, which is something everyone understands intuitively.”
Kotz says devices like Wanda can help smaller organizations that need to manage increasing numbers of networked devices, as small clinics with a doctor or a few nurses typically don’t have full-time tech support to configure and manage the many devices. His team is improving the device and has a patent pending.
Other future problems with cyberattacks include the increased use of telemedicine and even telesurgery, both of which have the potential to transform healthcare in remote or underserved areas. However, with the advent of more network-based medical solutions, there are likely to be hackers ready to exploit such systems if they are not properly protected. As devices and healthcare technologies continue to advance and become more common, hospitals, medical practitioners, patients and device manufacturers must together prioritize cyber-safety to protect data, resources and lives.