Industry Trends

The Second Vector of a Healthcare Cyber Attack - Connected Medical Devices

By Ryan Witt | April 10, 2015

Recently, I wrote about the three vectors of a healthcare cyber attack. This is the second of a three-part series examining each vector in depth.

Over the past couple of months, I’ve written about the three vectors of a healthcare cyber attack. Most recently, I looked in depth at the first vector, what we usually think of as “traditional attacks and malware”. These sorts of attacks continue to make headlines, but as healthcare evolves and increasing numbers of medical devices begin feeding data directly into health information systems, the second vector is going to start getting a lot more attention. Connected medical devices have the potential to not only let hackers into our systems but also to be turned to even more nefarious attacks.

The potential benefits of connected, networked medical devices are well understood and growing as the technology matures. A recent survey of nurses by the WestHealth Institute cut through issues of convenience and efficiency and right to the heart of patient care:

“Among [the 526 surveyed] nurses, three in five (60 percent) said medical errors could be significantly reduced if medical devices were connected and shared data with each other automatically. This problem could be addressed by the widespread adoption of open communications standards that allow for the safe and secure exchange of data.”

And there’s the rub - “The safe and secure exchange of data” seems a completely reasonable requirement when we have protected health information flying about on hospital networks, over the Internet, and into cloud-based health information systems, but it’s far easier said than done, particularly considering the scale and rapid growth of connected medical devices.

An article in Wired last year asked if connected medical devices were leading the IoT revolution or if it was the other way around. Chicken or egg questions aside, the Internet of Medical Things is exploding. In a 2014 presentation to the American Bar Association on eHealth Privacy and Security, Kevin McDonald, Director of Information Security at the Mayo Clinic, noted that 1 in 4 medical devices are now connected to a network. That’s over 4 networked devices on average per US hospital bed, almost three times as many as a 2011 study by the Association for the Advancement of Medical Instrumentation (AAMI) found.

These devices can range from heart monitors to IV pumps. Medical imaging devices like CT scanners and MRI machines are networked, as are automated pharmacy systems. Suffice to say, the potential attack surface is exceptionally large. That attack surface is also inherently insecure. A large number of these devices run either standard or embedded versions of COTS operating systems including Windows XP (toolkits and runtime components for XP Embedded are still being supported by Microsoft). Others are custom one-offs, frequently with Linux or Java at their core and too often weren’t designed from the ground up for security.

The lack of data interchange standards certainly hasn’t helped the security issue either. These devices can be wired or wireless, WiFi or Bluetooth, and too many are ripe for hacking.

Unfortunately, insecure endpoints, whether a pulmonary function machine or a heart monitor, are designed to feed data directly into the very centralized systems that hackers frequently target. These are goldmines for cybercriminals, with everything from patient medical histories to addresses to social security numbers and researchers have repeatedly demonstrated the ability to compromise the devices and ride their connections straight into health information systems. They are like IVs into hospital databases.

Researchers have gone beyond compromising the devices for access to electronic health records, though. The ability to physically harm patients with connected insulin and IV pumps has been well-documented by white hat hackers. One could imagine a variety of nightmare scenarios with these sorts of vulnerabilities and I expect that we will see the first such attack sometime this year. Perhaps a hacker will take over an ICU or a refrigeration system housing blood and vital medications, holding a hospital or even a patient hostage. However it plays out, healthcare organizations will not only experience additional cybercrime, but, for the first time, cyberterrorism.

The solution? It’s threefold:

  • Design connected medical devices for security first. Security must be absolutely baked into their operating systems and software
  • Create standards for secure information exchange between devices and health information systems
  • Protect healthcare networks - at the edge, near the core, and around connected devices. Protection can’t just be for PCs and mobile devices in healthcare settings. It must extend to the much wider range of endpoints appearing in hospitals and clinics worldwide.

We can no longer afford to leave advanced levels of network protection to big businesses and large enterprises. Healthcare networks are enterprise networks and are arguably among the most complex and important. Protecting them from cyber threats means implementing sophisticated solutions, ranging from internal network firewalls to advanced threat protection technologies.

To continue the conversation, please stop by the Fortinet booth #7678 at HIMSS15 to speak with any of our Fortinet Healthcare and Network Security experts.

Join the Discussion