22 Apr 2016

ISE’s research shows that healthcare facilities & hospitals security programmes
to ward off determined attackers going after specific targets

A well-known security axiom posits that an effective security programme can discourage would-be attackers, causing them to move on in search of softer targets. But it doesn’t always work that way.

Take healthcare facilities such as hospitals, for example. Prospective attackers with no particular target in mind may see a well-protected hospital facility and move on in search of another target, just as you would expect.

On the other hand, some healthcare attackers have specific targets in mind, and they will try to get at those targets using all of their digital cunning.

According to Geoff Gentry, Director of Healthcare with Independent Security Evaluators (ISE), a security-consulting firm, healthcare facilities and hospitals in particular lack security programmes that can ward off determined attackers going after specific targets.

Stealing or altering medical records

“An adversary targeting a specific facility will spend the time and resources necessary to ensuring a successful attack,” Gentry says. “Imagine, as a hypothetical example, a celebrity undergoing treatment in a hospital. Attackers might want to acquire and release the celebrity’s medical records — in order to embarrass him or her.

“They would break into the hospital information technology network and search for specific files. It is more difficult to discourage attackers with specific targets like this.”

Could attackers go after the celebrity patient as well, by corrupting the medical equipment and systems being used in a treatment programme? “To our knowledge, no real-world attacks have been reported targeting patient health,” says “Securing Hospitals,” a two-year, research study conducted and financed solely by ISE.

However, the ISE study goes on to say: “Research has shown that medical devices are susceptible to compromise, such as pacemakers, and insulin pumps. Similar attacks have even been demonstrated on simulated patients in a laboratory setting. Though attacks against these systems have only been performed in a research setting, they demonstrate a grave problem. When these or similar attacks are finally exploited in the wild, lives will be lost. In 2015, attacks were documented using medical devices as the pivot onto the hospital’s production network.”

 

Attackers may aim to steal and expose a target’s medical records, or
even alter them to interfere with their treatment

The vulnerability of specific targets

“Securing Hospitals” also reports successful demonstration attacks by researchers in field settings that might have killed or at least harmed patients had malicious hackers been behind them.

In one case, for instance, attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient.

In another scenario, attackers manipulated the flow of medicine and blood samples, causing the delivery of the wrong medicines and dosages.

The booklet reports several other scenarios and notes that: “The examples listed above represent a small fraction of the attack scenario possibilities that could result in the injury or death of a hospital patient.”

What can a hospital do?

Pointing to the results of the ISE study, Gentry recommends re-doing hospital security from scratch — starting by resetting priorities. “What is the worst thing that can happen in a breach?” he asks. “Patients can die. Patients are the real assets that need protecting.”

“Hospitals are inclined to focus on health records first, but the priorities should be patients first and then records. If you think first about securing the safety of patients, I think you will develop a better overall security program.”

When patient security comes first, continues Gentry, administrators tend to work on securing online medical devices, equipment and systems from digital attackers.

In addition, physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorised people can enter the hospital.

Once electronic and physical access can be controlled and managed, hospitals will be much more securely protected than they are today.