The health care industry provides an alluring target for malicious hackers. Personal health information has a much longer shelf life than financial information, making it a major draw for identity thieves. But a new and more troubling threat has arisen: the potential disruption of critical hospital systems by cybercriminals.
With a diverse array of digital systems, hospitals have evolved into complex technology operations. Yet they remain singularly ill-prepared to defend against attacks, in part because the multiplicity of systems forms a wider surface area to attack.
Spurred by massive breaches at health care giants -- and security research that has uncovered vulnerabilities in medical devices from insulin pumps to pacemakers -- the focus has shifted from data security alone to protecting a range of medical technology. Attackers can cause chaos and damage as they romp through hospital networks, which have their own special varieties of vulnerable endpoints.
The ransomware attacks that crippled Hollywood Presbyterian Medical Center in Los Angeles and Methodist Hospital in Henderson, Kentucky, weren't about pilfering confidential patient records. The intent was to bring these hospitals to a standstill -- which is exactly what happened. Medical staff couldn't access patient records, share surgery directives, or otherwise communicate with each other. Poor endpoint security and weak network protections made such successful attacks almost inevitable.
Health care under siege
Health care is intensely personal, both in patient disorders and their treatments, as well as in the interactions between patients and doctors, caregivers, and support staff -- most of which are documented and stored digitally.
But modern health care is also extremely technical. Specialized systems care for patients without moving them, robots perform actual surgery, and doctors rely on sophisticated equipment such as ECG, ultrasound, X-ray, CT, and MRI machines. These machines are computers, complete with operating systems, software applications, and network connectivity.
No one needs to launch a Stuxnet-like attack against a health care facility to disrupt medical care. A network worm can be equally as devastating.
Consider Conficker, the fast-spreading Windows worm that is believed to have infected more than 11 million machines since 2008 and is still successfully infecting unpatched Windows systems. Researchers in 2009 found that Conficker had infected more than 300 hospital devices, including MRI systems, across a dozen hospitals in the United States. Conficker also shut down an entire sleep lab in a New Jersey hospital in 2010, requiring all patients to be rescheduled and costing the hospital about $40,000 to recover from the infection.
Hospitals have found malware infections on medical equipment such as imaging devices, eye exam scanners, and electrocardiograph stress analyzers.
Even with the diversity of equipment and installed applications, health care IT has the same requirements as traditional IT to close off potential avenues of attack, says Dave Palmer, a retired member of British Intelligence agencies MI5 and GCHQ and current Director of Technology at cyberintelligence firm, Darktrace. Don’t forget that these organizations also have traditional enterprise systems to access payroll and accounting, communicate between departments, and support file-sharing and collaboration, as well as the challenges of employees and patients bringing personal devices into the facility.
Sign up for CIO Asia eNewsletters.