Media Relations for a Connected World
Securing Medical Devices, Solving the Challenge of the Weakest Link
Despite the fact that patient privacy and data security has been a top priority for the medical industry since the passage of the HIPPA data privacy act in 1996, hackers continue to find ways to infiltrate hospital networks and steal patient data. Many are seeking valuable healthcare data as health insurance credentials can be worth twenty times the value of a credit card on the black market. Cyber criminals are successfully searching for and finding weak links in the medical industry security chain. According to the recent MedJack report from TrapX security, medical devices are often the weak link that opens the door to attack.
The findings of the MedJack report are really not surprising. The report provides details of criminals hijacking medical devices and using the compromised devices to launch broader attacks against the hospital’s “secure” networks. Hackers can easily attack because the security of the medical devices is weak Once the medical device or system was compromised, the intrusion remained undetected for a significant period of time enabling the hackers to gain access further into the network, discover medical records, and finally to exfiltrate the medical record data. The reported attacks include:
- Healthcare records stolen from a hospital in which hackers compromised Blood Gas Analyzers (BGA) in the hospital laboratory. From this beachhead, they were able to move through that network collecting information and exfiltrating it back out through the BGA devices.
- Healthcare records stolen from a hospital in which hackers infected a Picture Archive and Communications System (PACS) in the hospital radiology department. Using malware installed on the PACS system, hackers were able to move through that network collecting information and exfiltrating that information to a location in Guiyang, China.
- Healthcare records from another hospital were discovered through compromised X-ray equipment. From the compromised system, hackers were able to expand their reach through that network gathering a wealth of information.
Legacy Device in Modern Networks
Because many current medical devices are based on designs that predated the pervasive cyber-threats that we see today, they are not prepared to ward off attacks. Decades ago there was no concept of the web – systems and devices were manufactured without any awareness that sometime in the future they could be connected to an international digital network that anyone can access The World Wide Web had just been invented, the internet was barely in its infancy1 and not used by the general public (the first commercial dial-up Internet Service Provider was formed in 1990). AOL and dial-up bulletin boards ruled the day. The concept of security by isolation was an appropriate design choice at the time. As MedJack illustrates, that approach to security is no longer viable.