Unsecured medical devices represent an increasing risk for hospitals, with radiology imaging systems in particular named as a prominent "attack surface" for digital attackers.
Cybersecurity researchers at Norse released their report on the "epidemic of compromises at healthcare organizations," flagging radiology equipment, patient monitoring systems, and Internet-facing surgical and anesthesia devices as especially vulnerable elements of hospitals’ networked systems.
"The data analyzed was alarming," Norse researchers wrote. "It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen."
Surprisingly, the most vulnerable elements of a hospital’s network appeared to be the security systems themselves, with virtual private networks and firewalls named the "biggest culprits" for emitting malicious traffic. Radiology imaging systems were in 4th place, after contact call centers and before video conferencing systems. Other vulnerable points included everything from printers and fax machines to surveillance cameras that could all be hacked relatively easily and used to access the hospital’s network.
The researchers collected data for a period of 13 months, reporting a total of nearly 50,000 "malicious events" affecting 375 U.S. healthcare organizations and coming from 723 different IP addresses. Some organizations were compromised the entire time, meaning they never caught wind of the breaches, Norse said.
"Health care’s critical information assets are poorly protected and are often compromised," the report concluded. "Edge security and access systems, medical devices, video imaging systems and call centers have all been suborned in compromises that, in some cases, went on for the duration of the data collection period of 13 months."
Exacerbating the issue are regulatory concerns that prevent device makers from updating their systems when vulnerabilities are discovered. One such rampant vulnerability is the persistence of hard-coded device passwords that grant any user high-level access and that the hospitals themselves are powerless to remove. Those passwords can often be found with a simple internet search, Norse said.
Once those devices are infiltrated they can be maliciously manipulated to potentially harm patients or used to access the rest of the hospital system, including patient medical records and payment information. A report released earlier this month found that sensitive information from a trio of New York hospitals had been discovered on a hacker data-trading website, putting patient records at risk.
Patient medical records can reportedly earn $60 apiece on the black market, 3 times as much as credit card information, as criminals can use the information to commit more valuable Medicare and prescription drug fraud.
Hospitals and other healthcare stakeholders have grown increasingly concerned about the security of their Internet-connected systems, including machines such as infusion pumps and patient monitors that communicate over the hospital’s network, but getting manufacturers interested has been a struggle, according to some cybersecurity experts.
Researcher and expert medical device hacker Florian Grunow told an audience at the European DeepSec conference last year that medtech vendors simply aren’t interested in security until they’ve been hacked or experienced some other digital dilemma that forces their hands.
Not many device makers have spoken openly about their interest (or lack thereof) in digital defenses, but industry titan Medtronic (NYSE:MDT) has said on more than one occasion that medtech cybersecurity is a "high priority" for the company. Medtronic later reiterated its commitment in a manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.