In the fall of 2014, cybersecurity consultants from TrapX security began to install software in more than 60 hospitals around the U.S. The software was designed to mimic the signature of medical devices: the heart monitors, insulin pumps, CT scanners, and other machinery vital to monitoring and maintaining patients in the hospital.
Its purpose was to act as a honeypot, an attractive target for the hackers that might be roaming the hospital networks. But unlike the actual devices, the decoys were equipped with instrumentation to reveal hacking attempts and viruses.
What TrapX ended up finding was disturbing. After six months of monitoring, they found systems in every single one of those 60 hospitals had been compromised.
Vulnerabilities Have Grown as Rapidly as the Move to Implement EHR
Healthcare Information Technology (IT) is under great strain in the U.S. today. With the implementation of the Affordable Care Act (ACA), more than ten million newly insured citizens have entered the pool of prospective patients. At the same time, an aging population and expanded treatment options are putting more people into the healthcare system, and for longer periods of time.
By 2020, the country is expected to have a shortfall of some 9,000 doctors based on current projections, and IT is expected to create the efficiencies needed to bridge that gap.
Paper-based record system claims cost roughly two dollars per patient to administer in 2012, while electronic health records (EHR) only cost around fifty cents. Consequently, more than 80 percent of doctors have adopted electronic medical record systems, almost overnight. While the speed has been welcome by both medical professionals and patients, it has come at the expense of the careful planning and implementation required to ensure security.
The only sensitive information Americans hold closer than their financial information are details about their personal health, and the healthcare industry is entrusted as keeper of both sorts of data. This has created daunting challenges for cybersecurity experts working in health information security, and a hiring spree among health providers as they work to build cybersecurity teams capable of securing massive troves of patient data.
HIPAA’s Huge Impact on Healthcare Information Security
The Healthcare Information Portability and Accountability Act of 1996 is both the genesis and the touchstone for modern healthcare security practices. Among the other broad directives in the omnibus health reform law were three rules that would change the state of medical record keeping and healthcare IT forever:
- The Transactions and Code Sets Rule effectively mandates portable electronic data interchange standards
- The Privacy Rule mandates that Protected Health Information be kept confidential
- The Security Rule lays out the safeguards required to enforce the Privacy Rule
Together, these rules both push healthcare providers to adopt electronic medical records and to come up with ways to secure them.
The Security rule is the most directly applicable to the daily function of cybersecurity professionals. It mandates administrative, technical, and physical safeguards for medical records data.
Further complicating matters, certain aspects of the rule are “addressable,” which means they may not apply in every circumstance. The fact is, it’s possible to be entirely HIPAA-compliant and still run a great deal of risk. It’s also possible to have a perfectly safe system that is not HIPAA-compliant. It falls to information security staff to make the call when dealing with these gray areas and to bear in mind the difference between the letter and spirit of the law.
Still, compliance is always a consideration and a great deal of time is spent on satisfying the requirements of auditors.
How the Internet of Things is Swamping Healthcare Cybersecurity Teams
Healthcare providers are facing a new threat that comes from the Internet of Things (IoT). Networked medical devices provide a powerful tool for patient monitoring and assessment, but as their degree of connectivity increases along with their processing power and capabilities, they are also ripe for hacking, or “medjacking” as it is now being called.
The medical device market in the U.S. is exploding. Government reports show the industry is worth $148 billion today and is projected to reach $155 billion by 2017. But the same report reveals that most device manufacturers are small businesses, with fewer than 50 employees–typically not large enough to incorporate a dedicated security team. A 2013 advisory from the Department of Homeland Security found that more than 300 devices from 40 different vendors had hard-coded passwords vulnerable to exploitation.
Perhaps even worse than the new Internet-enabled medical devices are the older ones, many of which still chug away happily on versions of Windows that were released in the last century. Security patches for these are nonexistent and in some cases the operating system might not even be readily discernible from a quick glance at the device. Built in an era where networking was less prevalent and security less of a concern, they represent a vast, unexplored pool of vulnerabilities in hospitals today.
Medical Devices in Homes Create New Vulnerabilities
As if keeping track of and securing networked medical devices within the hospital environment weren’t challenging enough, healthcare cybersecurity increasingly has to worry about connecting to and securing devices from outside their network – from Internet enabled c-pap machines to cardiac monitoring devices.
Home health care jobs are predicted to increase by 70 percent by 2020.
The trend is a boon to patients and for hospitals with bed spaces already stretched tight. Patients can recover more comfortably at home and doctors can provide excellent care with the up-to-date data. But bringing in telemetry data from insecure environments opens a window of opportunity for hackers.
How Ransomware Can Threaten Lives, as Well as Finances
Hospitals are particularly vulnerable to encryption ransom schemes. In March 2016, according to Healthcare IT News, Hollywood Presbyterian Medical Center was forced to pay $17,000 to hackers who had used malware to encrypt vital patient data and hold it hostage. Before the terms were worked out and the ransom paid, providers were forced to go back to handwritten notes and charting for nearly a week.
Unlike other types of businesses where ransom schemes may simply be a painful and expensive lesson in network security, for hospitals it can literally be a matter of life and death. They have little room to negotiate and none at all to reject ransom demands if no adequate backups for patient data exist.
Although no lives were lost as a result of the Hollywood Presbyterian hack, it’s not hard to imagine a scenario where not being unable to access electronic records would result in misdiagnosis or a lethal prescription mix-up. Avoiding these kinds of mistakes has been part of the motivation behind moving to electronic medical records in the first place.
But the real nightmare scenario is when the ransomware trend bleeds over into medical device hacking. Suddenly, the stakes are not just whether or not old blood pressure readings are accessible, but whether or not a patient’s insulin pump will stop working.
A white-hat hacker named Jay Radcliffe, who also happens to be diabetic, demonstrated the possibility when he successfully hacked into his own insulin pump using a $20 radio transmitter bought off-the-shelf at an electronics store.
Forrester Research predicts that at least one case of a medical device being hacked for ransom will occur by the end of 2016. The hope is that a skilled master’s educated cybersecurity professional will be there to stop it.