Hospital Hacks: An Emerging ThreatWhat Are You Doing to Prevent These Scary Scenarios?
Picture it: Hackers worming their way into unsuspecting user accounts to rig hospital medication dispensers, operating room heating systems and medical devices to wreak havoc and potentially even to kill patients.
I think it sounds more like the plot of a crime/suspense drama, but some security experts say the threats are real - that hackers could, for instance, take over your hospital's infrastructure, cranking up operating room temperatures to dangerous conditions that overheat patients and surgeons and pose a risk of medical complications.
It's never been easier to break into an organization.
David Kennedy, CEO of TrustedSec, a security consulting firm, knows it's possible because his company has conducted penetration tests of hospitals, proving how easily a clever hacker can gain control of systems ranging from heating ventilation and air conditioning to patient care equipment. "It's never been easier to break into an organization," he told an audience at the 2013 HIMSS Conference.
Penetration tests have also demonstrated how easily Kennedy's "hackers" can wipe out medications from a hospital pharmaceutical dispensing machine and tamper with patient medical devices. "Most of these systems have embedded Windows or slimmed down Linux," making them easy targets, he says.
Of course, Kennedy isn't the only one who's tested how easily hackers can compromise medical gear. Other "white hat" hackers, including Barnaby Jack, director of embedded device security at services firm IOActive, have demonstrated how insulin pumps and heart defibrillators can be hacked from afar, changing settings and potentially zapping patients with deadly doses of medication or electroshocks.
"Implantable medical devices are awesome for hackers," Kennedy told the HIMSS crowd. All systems that have exposure to the Internet, especially wireless and mobile devices, are at risk.
Also vulnerable are unsuspecting users who fall for the social engineering tricks of phishers.
One test conducted by Kennedy's group involved tricking a company's workers into thinking their employer required them to fill out a new (but fake) HIPAA privacy form online in order to receive next year's medical benefits. The trick enabled the "hackers" to collect user passwords, letting the potential cybercriminals poke around and gain access to critical systems.
Thankfully, these kinds of scary scenarios so far have been fictional demonstrations. There's no clear-cut evidence that hackers have actually ever caused harm to a patient with a wireless medical device, according to a recent Government Accountability Organization report that nevertheless urged the Food Drug Administration to develop a plan to improve tracking of device security and safety issues (see: GAO Spotlights Medical Device Security).
However, keep in mind that breaking into hospital systems to cause danger to patients isn't necessarily the top target of hackers. Bill Fox, principal of Booz Allen Hamilton, predicted in an interview at the HIMSS Conferene that organized crime penetrating healthcare systems to steal financial and health-related data is among the biggest emerging threats the industry faces.
Here are some steps that Kennedy and other experts say hospitals can take to better protect their systems - and their patients - from these sorts of intrusions:
- Secure systems at the critical asset level. That includes conducting penetration testing that highlight weaknesses in the most important systems of your organization.
- Isolate sensitive systems, such as patient medical devices, so that there's less risk of being attacked through the vulnerabilities of other systems on a network.
- Secure your perimeter.
- Hold third-party services companies accountable for the vulnerabilities of their products and systems.
The HIPAA Security Rule requires covered entities to have a patch management program to protect healthcare systems against viruses. And now, under the HIPAA Omnibus Rule, business associates, including, in some cases, device manufacturers or servicers, must also comply with that requirement, says David Holtzman, senior health information technology and privacy specialist at the HHS Office for Civil Right(see: Medical Devices: New Security Help).
Still as healthcare providers and their business associates scramble to comply with the HIPAA Omnibus Rule, I think it's important to keep this in perspective: HIPAA's requirements don't address many other security vulnerabilities that, if ignored, could put healthcare data and patients at risk.
Achieving HIPAA compliance isn't enough to protect your organization from the kinds of scary situations that Kennedy and others warn against.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.