In past researches, information security training experts examined internet-connected medical-related devices and systems such as databases, hospital admin consoles, and medical devices. The professionals also looked into the supply chain, which has been an attack vector that is often overlooked.
Based on research into cyberthreats against hospitals, they have identified three broad areas of interest that are at high risk of being targeted by cybercriminals.
- Hospital operations: The cyberthreats against everyday critical systems such as staff scheduling databases, hospital paging systems, building controls, pneumatic tube transport systems, inventory systems, payroll, administration, etc.
- Data privacy: Cyberthreats against different types of data such as personally identifiable information (PII), for both patients and hospital employees, including patient diagnosis and treatment data; insurance and financial information; research and drug trial data; payroll; intellectual property (IP), etc.
- Patient health: These encompass cyberthreats against medical devices and systems that are used for the treatment, monitoring, and diagnosis of patients, as well as cyberthreats against the hospital information system (HIS).
Healthcare institutions in the U.K. were found not up to cybersecurity standards when National Health Service (NHS) trusts were affected by the WannaCry ransomware in May 2017. According to the National Audit Office report on the incident, the attack managed to compromise a total of 37 trusts, indirectly disrupt 44 more trusts, and infect 603 primary care and other NHS organizations, throwing the entire healthcare system of the U.K. into disarray for a couple of days. Thus, it may be valuable to examine why hospitals would have poor cybersecurity. Some of the possible reasons put forward include the following:
- The purpose of a healthcare facility is patient care and that is where the bulk of resources are invested, leaving a little budget available for cybersecurity spending.
- Hospital computers and diagnostic equipment have many users, e.g., doctors, nurses, and technicians, who rotate regularly within the hospital. This makes incorporating strict cybersecurity policies and authentication procedures very difficult, especially if those policies impede daily operations.
- Diagnostic equipment is extremely expensive and hospitals cannot afford to have their medical devices offline for prolonged periods for maintenance. In some cases, modifying medical device settings or updating their embedded OS will void the device’s certification, warranty, and insurance coverage, so medical devices remain untouched.
- Expensive diagnostic equipment is not replaced regularly as long as they are functioning correctly. These devices and systems may no longer have support or would be costly to replace.
- Diagnostic equipment manufacturers are responsible for ensuring their equipment meet the HITRUST CSF® guidelines for medical devices. Given the CSF is regularly updated, older medical devices that are still being used in hospitals may not meet the requirements.
- Not all hospitals have a dedicated cybersecurity response team. In most hospitals, the IT staff does double duty: They investigate and mitigate cyberattack incidents, as well as provide general IT services to the hospital. This setup has the critical drawback of spreading resources thin for both functions.
These observations are evident in the major findings. For the research, information security training professionals searched for exposed devices in hospitals and clinics using Shodan, a search engine for internet-connected devices. The analysts found Digital Imaging and Communications in Medicine (DICOM®) systems exposed to the internet, including those owned by 21 universities. These systems can expose images for procedures such as CT (computed tomography), MRI (magnetic resonance imaging), and PET (positron emission tomography) scans, ultrasound, X-ray, fluoroscopy, angiography, mammography, and endoscopy.
Exposed medical systems potentially jeopardize critical data such as patients’ PII and medical records. The United States has the most exposed DICOM servers according to our findings in Shodan. While a device or system being exposed does not necessarily mean that it is vulnerable, it should not be viewable publicly.
The researchers also found exposed electronic medical records (EMRs). But what was more fascinating is how common it was to find pharmacy management software interfaces. This specialized software is used by pharmacies for various integrated management functions such as drug inventory, drug ordering, OTC management, narcotics tracking, patient data, patient prescription history, point-of-sale (PoS) transactions, drug insurance claims, prescriptions and refills, and label printing. Besides, the information security training experts found a patient scheduling or appointment system that contained the patients’ diagnosis information.
Another aspect of healthcare networks that the information security trainingconsultants explored was threats to the hospital supply chain. Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity.
Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyberattacks becomes a critical necessity.