Healthcare organizations are facing a mounting security challenge: Not only is patient data a ripe target for hackers, but legacy hardware systems have such holes in their security that ERI called the current situation a “perfect storm.”
According to the report, 3.15 million patient records were compromised in 142 healthcare data breaches in the second quarter of 2018. A full 30 percent of privacy violations involved repeat offenders.
The 2 Types of Legacy Medical Device Vulnerabilities
Vulnerabilities around legacy hardware come in two forms. The first is that security hasn’t been a priority when it comes to healthcare hardware. “Modern IT systems are being designed with security baked in from the beginning. That wasn’t the case with medical devices, and still often isn’t the case,” says Christopher Dawson, threat intelligence lead at Proofpoint.
While new devices might be developed with security at least tacked on as an afterthought, legacy hardware is still in use in practices — even if the devices were developed years before ransomware became a high-profile problem.
“These devices stay in clinical practice for years,” says Dr. Christian Dameff, emergency physician and clinical informatics researcher at the University of California, San Diego. “Think of a device conceived using Windows XP that goes into practical and clinical use for eight years. It could be in operation well after Microsoft stops issuing patches for it.” Microsoft stopped supporting Windows XP in 2014.
The second type of vulnerability is that hospital systems, busy with saving lives, aren’t necessarily budgeting for security. According to the 2017 U.S. Department of Health and Human Services’ Health Care Industry Cyber Task Force report, three out of four hospitals don’t have a designated security person on staff.
“You might have a very secure medical device, but it goes into a clinical environment where no one knows anything about security,” Dameff says.
Healthcare data is attractive to hackers because it’s information that can be used over and over again — information like Social Security numbers.
With this type of information, “you can do a lot more damage in the long term,” says Dawson. A weakness in an MRI machine or CT scanner could be a hacker’s entry point into the entire healthcare IT system.
The Dangers of Unsecured Medical Devices
While it hasn’t happened yet, these devices could be hacked to do real patient harm. “There’s a finite amount of time you have to treat a patient having an acute stroke, and a CT scan is vital. If your hospital is suffering a cyberattack and those devices are offline, you can’t take care of your patients,” Dameff says.
In 2017, he and Dr. Jeff Tully, a resident anesthesiologist at the University of California, Davis Medical Center, held the CyberMed Summit, where they simulated a cyberattack on the University of Arizona College of Medicine in Phoenix, where they are both alumni. They were able to hack insulin pumps and a pacemaker.
While stealing patient data is a big problem, Dameff also wouldn’t put it past nation-states to use these vulnerabilities to attack “individuals of high political stature and other important people being taken care of in hospitals,” he says. “Hospitals help people, but if things are manipulated in such a way, they can also hurt people.”