Getting a clean bill of health after a common hospital procedure might give you a big headache over your financial health.
It’s almost hard to declare that most of our medical devices are under cyber attack. That implies there’s some type of defense that requires attacking. Unfortunately, once a hacker is past the hospital firewall, it’s a secure-free zone in a malware-vulnerable paradise.
Want to sleep even less when you’re in the hospital? Read on…
Previously, I’ve written about 2015 becoming the year cyber crime turned its keyboard to your health care records, rather than your credit cards. This detailed article from Bloomberg explains this danger is well-founded and pervasive throughout our medical industry.
Hospital administrators have a lot of reasons to fear hackers, which was proven as far back as 2013 during a Mayo Clinic sponsored device-hacking research exercise.
The Mayo Clinic assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices.
For a full week, the group spent their days looking for backdoors into typical infusion pumps, magnetic resonance imaging (MRI) scanners, ultrasound equipment, ventilators, electro-convulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.”
The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
And, really, the Mayo Clinic alone cannot effect the necessary changes throughout the entire medical eco-system, due to the pervasiveness of the issues.
Just last fall analysts with TrapX Security, a firm based in San Mateo, Calif., began installing software in more than 60 hospitals to trace medical device hacks. TrapX created virtual replicas of specific medical devices and installed them as though they were online and running. To a hacker, the operating system of a fake CT scan device planted by TrapX would appear no different than the real thing. But unlike the real machines, the fake devices allowed TrapX to monitor the movements of the hackers across the hospital network. After six months, TrapX concluded that all 60 of the hospitals contained medical devices that had been infected by malware.
“These medical devices aren’t presenting any indication or warning to the provider that someone is attacking it, and they can’t defend themselves at all,” says Wright, who is a former information security officer for the U.S. military.
After hackers had compromised a medical device in a hospital, they lurked there, using the machine as a permanent base from which to probe the hospital network. Their goal, according to Wright, was to steal personal medical data.
“The problem with the health-care record is it’s what we call immutable data. It isn’t easy to change,” Caleb Barlow, IBM Security vice president said.
“You can’t call somebody up and say, ‘Hey, give me a new health-care record.’ It’s stuck with you for the rest of your life, so this information in the health-care record could be used 20 years from now to establish credit, file a tax return on your behalf, or file a false medical claim.”