Medical devices and other hospital and healthcare systems need some serious security upgrades to weather the coming onslaught of malicious hacking, according to the FBI’s Cyber Division.
With an impending deadline to shift to electronic medical records, which fetch a high price on the black market, healthcare systems are an increasingly alluring target for cyber-criminals.
"The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the internet, generating a rich new environment for cyber criminals to exploit," according to an unclassified FBI report. "The health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats."
No targeted medical device hacks have been reported outside of research settings, but security analysts have found that many U.S. hospitals and their medical devices have been infiltrated by malware. Many systems remain infected as hacks go undetected, according to a report released earlier this year by Norse.
Medical devices such as radiology imaging software and X-ray machines are vulnerable to attack even if they don’t contain sensitive patient information. The vast majority of networked medical devices in hospitals today have minimal security protections, and "once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls" to other systems, the FBI said.
Perhaps the biggest vulnerability is healthcare IT officials’ belief that their systems are secure enough already.
"The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," according to the federal memo.
Healthcare industry security reports released over the last year put the black market value of a partial electronic health record at $50 apiece, compared with $1 for a stolen credit card or social security number. Criminals can use EHR data to file fake insurance claims, get prescription drugs and "advance identity theft," and EHR fraud takes nearly twice as long to detect than normal identity theft.
Financial gains aren’t the only reasons that attackers may target healthcare systems. The infamous and inscrutable hacker group Anonymous made recent threats against Boston Children’s Hospital, calling on internet activists to bombard the hospital’s website with a flood of traffic to disrupt its online services. The group is demanding that BCH fire one of its doctors over the controversial detainment of a pediatric patient made ward of the state.
Cyber-attacks that attempt to overload servers with a flood of requests, sometimes called "denial of service" or DoS attacks, aim to disrupt an organization’s workflow by wiping out access to cloud-based tools and resources. Programmers can insulate their systems from such attacks by ensuring that servers and devices aren’t permanently knocked out after being bombarded, but recent testing has shown that many medical devices lack such protections.
Researchers at SecureState reported last year that their penetration testing found that devices such as IV pumps and X-ray machines are vulnerable to the fairly rudimentary form of attack. Earlier last year a pair of security researchers used a DoS hack to demonstrate that a Philips (NYSE:PHG) Xper hospital management system could be infiltrated and "owned" fairly easily.
Researcher and expert medical device hacker Florian Grunow told an audience at the European DeepSec conference last year that medtech vendors simply aren’t interested in security until they’ve been hacked or experienced some other digital dilemma that forces their hands.
Not many device makers have spoken openly about their interest (or lack thereof) in digital defenses, but industry titan Medtronic (NYSE:MDT) has said on more than one occasion that medtech cybersecurity is a "high priority" for the company. Medtronic later reiterated its commitment in a manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.