A new research paper has exposed significant cyber security flaws in hospital cyber security systems.
The researchers, the Independent Security Evaluators (ISE), found that a lot of priority was being given to protecting records, but not the increasing number of web connected devices found in hospitals.
In the report the ISE said: "One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective."
Chris Boyd, Malware Intelligence Analyst at Malwarebytes told CBR: "When we look at what a hospital might offer to someone with bad intentions, there are multiple potential layers of vulnerability there — everything from files on the corporate network to the network itself, right down to the patients and the devices used on them, are all up for grabs."
The report branded the threat model used by hospitals "inadequate", and said that patient health was at risk from targeted attacks by organised crime, terrorists, and nation states, as well as indiscriminate attacks by terrorists and nation states. For example, the group hacked patient monitors, causing them to give incorrect readings. This could lead to the wrong care being given, with potentially fatal consequences.
The report found that patient records were at risk from targeted attacks by hacktivists, organised crime, and nation states, as well as indiscriminate attacks by individuals or small groups, organised crime, and nation states.
In one test, the group used 18 USB sticks as bait to infect the system with malware, and gain entrance to the network to manipulate medicine distribution. They found that within 24 the infected sticks were used at nursing stations, which were infected with malware, and they then proceed to attack medicine inventory and dispensing systems.
The group goes on to say that "we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient."
The research says that hospitals have a lack of defined, implemented, and auditable policy to deal with cyber security.
The issue of cyber security is becoming critical in the health care sector, with the rise of ehealth. Pacemakers are becoming an increasing part of the IoT connected landscape. There are now wireless connected pacemakers, and short-range attacks could be used to change the settings of the device.
Companies like Philips are also creating medical senor devices, and robots at the atomic level – nanotechnology, is developing at speed too.
Boyd said: "With the rise in IoT devices being used for medical health and also off-site monitoring, hospitals will continue to be prime targets. Besides the threat to devices such as insulin pumps and the possibility of unsecured data being sent via IoT tools, there’s the possibility of hospitals not applying safe hygiene to their computer practices and being locked out due to ransomware."
The issue of ransomware, and of medical centres losing control of their data, was brought into stark reality recently, when the Hollywood Presbyterian Medical Centre had to take its computer network offline for a week after falling victim to a ransmoware attack.
The ISE reports comes on the back of a two year study from January 2014 until January 2016 in which the group undertook tests of 12 healthcare facilities, two healthcare data facilities, two active medical devices from one manufacturer, and two web applications.