Health care hacks: The difference between life and death
February 05, 2018
By Gary Sockrider
Cyberattacks continue to dominate our news cycle with the recent attacks like Reaper, WannaCry and NotPetya highlighting the harsh reality of today’s world: personal information is gold and cyberattacks are growing. According to NETSOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), ransomware was cited as the top threat by enterprises in 2017. Business impacts due to attacks include reputation/brand damage and operational expense, in addition to revenue loss.
Cyberattacks aren’t confined to any specific industry or size, and the cost for companies to bounce back from these threats can be hundreds of thousands of dollars per event. It’s no secret that health care information is one of the most valuable commodities on the black market. With that kind of monetary motivation, we’ll likely see an increase in breaches of medical records in the coming years.
Unfortunately, health care has an added and unique security issue: Attacks in this industry can literally be fatal for the end user. These hacks can cause increases or decreases in medicine dosages or a shutdown of an implanted device, to the impairment and detriment of lifesaving technology. With that in mind, the health care industry must consider how to mitigate the risks of hacks and, ultimately, how to better protect patients. An increased focus on the state of security in health care should be top-of-mind for all hospital staff.
Regulations are minimum standards
While regulations can be useful for creating awareness and driving responsibility, they are not comprehensive. As we’ve seen in retail security breaches, regulations might be imposed but they set a bare minimum for protection. If retailers adhere to all regulations, their financial liability is limited, even though the damage to the end user can be devastating. Take, for example, the recent Equifax breach, which led to sensitive information of hundreds of thousands customers being exposed, with little to no repercussion for their lack of action. This is the issue with regulations being considered an antidote to the problem. As regulations don’t update as quickly as technology does, adherence to regulations puts your organization out-of-date and at risk almost immediately. The bottom line is that effective cybersecurity requires organizations to go above and beyond industry regulations.
Since the first wave of networked medical devices, security threats have taken a new direction, going beyond the sale of information to potentially life-threatening attacks. Hacking a network, manipulating critical data or medication, or changing a device’s cadence all have dangerous consequences.
The fatal reach of medical devices
Take, for example, patients with pacemakers, a piece of technology that they rely on to keep their bodies functioning normally. After an extremely invasive procedure, followed by weeks of recovery, the patient begins to feel safe and well. However, with medical device security regulations as relaxed as they are, there may be more to worry about once the device has been implanted or the wearable set in action.
Knowledgeable hackers can produce attacks that have adverse effects on more than just CT scanners. These cybercriminals can reach more personal items such as insulin pumps for diabetics, pacemakers, and in some cases, life-monitoring machines. So with regulations so relaxed and technology moving faster than regulations can keep pace, what can the health care industry do? Former Vice President Dick Cheney took extra precautions with his pacemaker, assuring that it was protected from several security vulnerabilities.
Be prepared by assuming an attack will happen
Beyond patching and adding additional security features in medical devices, organizations must have good visibility to see potential threats and have policies in place to ensure they limit risk. And while good policy is a necessary start, auditing and enforcement are also required to be effective. Health care providers and device companies alike must stay up to date on the latest security offerings. Auditing current solutions to see what can be improved is the best way to do that.
Organizations must live by a comprehensive set of strategies – assess the risk; put policies, management and monitoring in place; fix the issues; and repeat this process again and again. Keeping up-to-date on vulnerabilities and continuing to put adequate protections in place, whether mandated or not, is critical.
What’s more, it’s essential to be aware of the vulnerabilities in your organization. Look at every scenario and prepare for the worst.
Involve the patient
We are all accustomed to security threat training, from strong passwords to not opening suspect attachments, end users know they are the way in and often the last line of defense. This precautionary training, although not foolproof, should translate to patients with implants or wearables, especially if remotely connected to the hospital for monitoring and tracking. Patient awareness of potentially malicious activity and an appropriate contact for reporting suspicious behavior to their provider could help mitigate attacks before real damage is done.
With the value of medical information becoming such a lucrative payday for hackers, health care experts shouldn’t expect a slow in attack frequency. However, if the industry pushes further than outdated regulations, teaming with the security industry for protection, then they’ll be able to fend off life-threatening attacks.
About the Author: Gary Sockrider is principal security technologist with NETSCOUT Arbor, and an industry veteran with over 25 years of broad technology experience ranging from network security to routing and switching, data center, mobility and collaboration. His previous roles include security SME, consultancy, customer support, IT and product management. He seeks to understand and convey the constantly evolving threat landscape, as well as the techniques and solutions that address the challenges they present. Prior to joining Arbor in 2012, he spent 12 years at Cisco Systems and held previous positions with Avaya and Cable & Wireless.
Cyberattacks continue to dominate our news cycle with the recent attacks like Reaper, WannaCry and NotPetya highlighting the harsh reality of today’s world: personal information is gold and cyberattacks are growing. According to NETSOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), ransomware was cited as the top threat by enterprises in 2017. Business impacts due to attacks include reputation/brand damage and operational expense, in addition to revenue loss.
Cyberattacks aren’t confined to any specific industry or size, and the cost for companies to bounce back from these threats can be hundreds of thousands of dollars per event. It’s no secret that health care information is one of the most valuable commodities on the black market. With that kind of monetary motivation, we’ll likely see an increase in breaches of medical records in the coming years.
Unfortunately, health care has an added and unique security issue: Attacks in this industry can literally be fatal for the end user. These hacks can cause increases or decreases in medicine dosages or a shutdown of an implanted device, to the impairment and detriment of lifesaving technology. With that in mind, the health care industry must consider how to mitigate the risks of hacks and, ultimately, how to better protect patients. An increased focus on the state of security in health care should be top-of-mind for all hospital staff.
Regulations are minimum standards
While regulations can be useful for creating awareness and driving responsibility, they are not comprehensive. As we’ve seen in retail security breaches, regulations might be imposed but they set a bare minimum for protection. If retailers adhere to all regulations, their financial liability is limited, even though the damage to the end user can be devastating. Take, for example, the recent Equifax breach, which led to sensitive information of hundreds of thousands customers being exposed, with little to no repercussion for their lack of action. This is the issue with regulations being considered an antidote to the problem. As regulations don’t update as quickly as technology does, adherence to regulations puts your organization out-of-date and at risk almost immediately. The bottom line is that effective cybersecurity requires organizations to go above and beyond industry regulations.
Since the first wave of networked medical devices, security threats have taken a new direction, going beyond the sale of information to potentially life-threatening attacks. Hacking a network, manipulating critical data or medication, or changing a device’s cadence all have dangerous consequences.
The fatal reach of medical devices
Take, for example, patients with pacemakers, a piece of technology that they rely on to keep their bodies functioning normally. After an extremely invasive procedure, followed by weeks of recovery, the patient begins to feel safe and well. However, with medical device security regulations as relaxed as they are, there may be more to worry about once the device has been implanted or the wearable set in action.
Knowledgeable hackers can produce attacks that have adverse effects on more than just CT scanners. These cybercriminals can reach more personal items such as insulin pumps for diabetics, pacemakers, and in some cases, life-monitoring machines. So with regulations so relaxed and technology moving faster than regulations can keep pace, what can the health care industry do? Former Vice President Dick Cheney took extra precautions with his pacemaker, assuring that it was protected from several security vulnerabilities.
Be prepared by assuming an attack will happen
Beyond patching and adding additional security features in medical devices, organizations must have good visibility to see potential threats and have policies in place to ensure they limit risk. And while good policy is a necessary start, auditing and enforcement are also required to be effective. Health care providers and device companies alike must stay up to date on the latest security offerings. Auditing current solutions to see what can be improved is the best way to do that.
Organizations must live by a comprehensive set of strategies – assess the risk; put policies, management and monitoring in place; fix the issues; and repeat this process again and again. Keeping up-to-date on vulnerabilities and continuing to put adequate protections in place, whether mandated or not, is critical.
What’s more, it’s essential to be aware of the vulnerabilities in your organization. Look at every scenario and prepare for the worst.
Involve the patient
We are all accustomed to security threat training, from strong passwords to not opening suspect attachments, end users know they are the way in and often the last line of defense. This precautionary training, although not foolproof, should translate to patients with implants or wearables, especially if remotely connected to the hospital for monitoring and tracking. Patient awareness of potentially malicious activity and an appropriate contact for reporting suspicious behavior to their provider could help mitigate attacks before real damage is done.
With the value of medical information becoming such a lucrative payday for hackers, health care experts shouldn’t expect a slow in attack frequency. However, if the industry pushes further than outdated regulations, teaming with the security industry for protection, then they’ll be able to fend off life-threatening attacks.
Gary Sockrider