The prospect of the idea is like something straight out of a William Gibson science fiction yarn or something out of a kitschy Tom Cruise spy flick – hackers infiltrating and remotely accessing vital medical equipment like pace makers, hospital systems and more to create havoc or worse. Unfortunately, as implausible it sounds, the concept of a cybercriminal hacking devices and systems in the healthcare industry is not only a possibility but a distinct reality.
According to the boffins at Fortinet, a hacker can potentially infiltrate healthcare infrastructure, ranging from end user medical devices all the way up to the technological infrastructure that hospitals depend on. ”In a worst case scenario, devices such as pace makers or insulin pumps can be compromised by hackers. As lives physically depend on these devices, a malfunction or compromise can lead to unexpected results and possibly death,” says Derek Manky, Global Security Strategist at FortiGuard, a combination of a think tank, troubleshooter and fire fighting team that resolves internet security issues for clients worldwide.
Part of Derek’s mandate is to take a strategic view of the threat landscape of the internet, keeping watch for looming threats on the digital horizon. The vulnerability of the healthcare industry to infiltration and the potential damage it can potentially cause is one of his biggest concerns of late. The idea that these malicious acts are beyond the theoretical and entirely in the realm of possibility is daunting indeed.
Unlike more security conscious organisations like financial institutions, government agencies and high profile commercial concerns, the state of security of the healthcare industry is akin to a house with the front door and windows wide open along with a Vegas-style welcome sign in huge glowing neon letters on the lawn.
Clear and Present Danger
Many medical devices, such as those installed in hospitals like MRI scanners, X-ray machines, medical lasers and other large medical equipment as well as other commercial devices purchased off the shelf for home use like blood pressure readers and the like are increasingly being festooned with a host of wireless connectivity options to remotely share and upload their data to other devices or networks. These medical devices, many of which human lives depend often use off-the-shelf operating systems like Microsoft Windows.
Other medical machines that are networked for more efficient patient treatment – heart monitors, IV pumps, pacemakers and more are being increasingly automated, remotely operated and are able to provide real-time medical data for doctors to act on without even having to be in the same room much less on the same continent as the patient. Hospital medical equipment can wirelessly share the medical data of a patient across a common network for more efficient treatment rather than having to laboriously rely on error prone paper records.
Increasingly, more commercial devices like smart watches and other wearables are being sold on the market that are able to track a host of additional fitness metrics as well like heart rate, distance and speed travelled on foot and more. Rather than uploading it for medical reasons, users upload and share this data for bragging rights with other fitness enthusiasts. The increasingly interconnected and unsecured nature of these medical devices is also an open season pass for hackers as each device represents an avenue of attack.
“The chances of a malicious attempt on medical devices is much higher than it would be a couple of years ago,” says Derek, “This is because they are connected to more accessible networks to hackers as well as other channels other than hardwired networks such as Bluetooth and Wi-Fi. With such a huge array of devices available, it also goes to say that there are also multiple avenues for a hacker to cause havoc, more so when these devices are interconnected to each other. New vulnerabilities and exploits are being discovered to infiltrate healthcare industry hardware but they’re not being fixed nearly as fast as they ought to be. ‘The ‘cat is out of the bag’ so to speak’,” says Derek, ”instructions on how to hack are out but there are no immediate fixes available.”
“These medical devices are not coded with security in mind, since they are not used to being attacked,” explains Derek. “Such healthcare devices may use third party libraries,” he adds, meaning that the software used in compiling them is off the shelf; while it’s easy to program they are also not as secure against tampering. “Vulnerabilities are plenty and are considered low hanging fruit for attackers, opening up multiple avenues of attack,” adds Derek. While these devices are able to capture, collate and distribute a wealth of data, they lack the means to securely protect it against intrusion. The networking and medical systems in use today were also never designed to be secure against intrusion or tampering.
The numbers aren’t particularly encouraging either be it locally or worldwide. According to FortiGuard, there were 36,630 distinct forms of malware, a whopping 71,490,746 unique hacking attempts and a somewhat ludicrous 27, 216, 765 botnets detected in a three month span from January until March this year. While the numbers are global in nature, FortiGuard added that 18.7% of all that malware, 6.9% of all those hacking attempts and 54% of all those detected botnets were from the Southeast Asia region.
While it’s hard to break down the numbers, the law of averages says that of that number, it’s likely quite a few of those attempts will have been on medical institutions. It’s also a safe bet to say that these numbers aren’t going to decline anytime soon either and with the unguarded nature of medical devices and the value of that data, hackers will likely be targeting the healthcare industry more in the future.
Hacking Healthcare for Fun and Profit
Ironically, as the case may seem, hackers these days are less motivated by ideology and more by financial gain and while malicious acts of terror are indeed theoretically possible, there’s a far higher likelihood of them infiltrating systems or hacking medical equipment to do something else – make off with your medical history.
As kooky as it sounds, a person’s medical history and personal details are worth their weight in gold to a hacker. In fact, it’s worth far more than skimming credit card numbers; the bread and butter of the average black hat hacker.
The answer to why patient data is worth so much is not in what the information offers, but how it can be used. The sum of that data– age, weight, height, name, address, health and medical history form a pretty intimate picture of a person. With all that information, a cybercriminal has all he needs on a silver platter to perform identity theft and fraud. Fortinet’s Country Manager for Malaysia, Michelle Ong explains that, “The black market for patient data is up to twenty times more valuable than that for credit card data stolen in retail breaches.” Several such credit breaches in recent memory come to mind – Home Depot in September last year in the United States where hackers made off with a staggering 56 million e-mail addresses as well as affecting an equal number of credit and debit cards. Another is US office supply chain Staples that fared no better with a credit card breach around the same time that possibly resulted in 1.16 million customer credit and debit cards being compromised. Fortunately, credit card companies are quick to act when it comes to misused credit and debit cards.
Unlike credit card information that is usually acted in a matter of days at most, compromised information of this nature may end up being in circulation for a lot longer. “It can be up to a year or more for patients to realise that their personal information has been compromised,” says Michelle. Filched credit card numbers are acted on in a fairly swift fashion while algorithms in credit card companies track unusual behaviour, limiting the window for misuse and making it harder for hackers. “When a credit card is stolen, algorithms in the financial industry pick up unusual activity very quickly and systems often automatically provide protection. These same protections simply don’t yet exist in healthcare,” she adds .
According to Fortinet, the healthcare industry is, perhaps due to the altruistic nature of its business, mostly unprepared and worse, lacks the protection that other more security conscious organisations would implement as a matter of course. According to the Ponemon Institute, data breaches have cost the average healthcare organisation a whopping US$2.4 million over the last two years. While solutions exist, many institutions are slow to act. “Security experts need to get involved, digital asset assessment is essential and a security solution that is fully capable of differentiating, inspecting and protecting against threats that are PC based, mobile or via another medium of attack needs to be implemented such as the FortiGuard and Fortinet suite of security solutions,” says Derek.
“The time to address healthcare security is not when medical record breaches start making headlines. The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels,” said Ong. “Without proper security and a framework to implement it effectively, hackers can potentially manipulate medical machines to shut down critical systems in hospitals and harm patients,” says Ong. “The stakes are simply too high to wait.”
Hackers are Eyeing Our Healthcare
