By Mayra Rosario Fuentes and Numaan Huq (Senior Threat Researchers)
In our latest research paper on healthcare cybersecurity, Securing Connected Hospitals, which was produced in partnership with HITRUST, we examined internet-connected medical-related devices and systems such as databases, hospital admin consoles, and medical devices. We also looked into the supply chain, which has been an attack vector that is often overlooked.
Based on our research into cyberthreats against hospitals, we have identified three broad areas of interest that are at high risk of being targeted by cybercriminals.
- Hospital operations — This includes cyberthreats against everyday critical systems such as staff scheduling databases, hospital paging systems, building controls, pneumatic tube transport systems, inventory systems, payroll, administration, etc.
- Data privacy — This includes cyberthreats against different types of data such as personally identifiable information (PII), for both patients and hospital employees, including patient diagnosis and treatment data; insurance and financial information; research and drug trial data; payroll; intellectual property (IP), etc.
- Patient health — This includes cyberthreats against medical devices and systems that are used for the treatment, monitoring, and diagnosis of patients, as well as cyberthreats against the hospital information system (HIS).
Healthcare institutions in the U.K. were found not up to cybersecurity standards when National Health Service (NHS) trusts were affected by the WannaCry ransomware in May 2017. According to the National Audit Office report on the incident, the attack managed to compromise a total of 37 trusts, indirectly disrupt 44 more trusts, and infect 603 primary care and other NHS organizations — throwing the entire healthcare system of the U.K. into disarray for a couple of days. Thus, it may be valuable to examine why hospitals would have poor cybersecurity. Some of the possible reasons put forward include the following:
- The primary purpose of a healthcare facility is patient care and that is where the bulk of resources are invested, leaving only barebones budget available for cybersecurity spending.
- Hospital computers and diagnostic equipment have many users, e.g., doctors, nurses, and technicians, who rotate regularly within the hospital. This makes incorporating strict cybersecurity policies and authentication procedures very difficult, especially if those policies impede daily operations.
- Diagnostic equipment are extremely expensive and hospitals cannot afford to have their medical devices offline for prolonged periods for maintenance. In some cases, modifying medical device settings or updating their embedded OS will void the device’s certification, warranty, and insurance coverage, so medical devices remain untouched.
- Expensive diagnostic equipment is not replaced regularly (or for decades) as long as they are functioning correctly. These devices and systems may no longer have support or would be costly to replace. Why replace something if it is not broken?
- Diagnostic equipment manufacturers are responsible for ensuring their equipment meet the HITRUST CSF® guidelines for medical devices. Given the CSF is regularly updated, older medical devices that are still being used in hospitals may not meet the requirements.
- Not all hospitals have a dedicated cybersecurity response team. In most hospitals, the IT staff does double duty: They investigate and mitigate cyberattack incidents, as well as provide general IT services to the hospital. This setup has the critical drawback of spreading resources thin for both functions.
These observations are evident in our major findings. For our research, we searched for exposed devices in hospitals and clinics using Shodan, a search engine for internet-connected devices. We found Digital Imaging and Communications in Medicine (DICOM®) systems exposed to the internet, including those owned by 21 universities. These systems can expose images for procedures such as CT (computed tomography), MRI (magnetic resonance imaging), and PET (positron emission tomography) scans, ultrasound, X-ray, fluoroscopy, angiography, mammography, and endoscopy.
Exposed medical systems potentially jeopardize critical data such as patients’ PII and medical records. The United States has the most exposed DICOM servers according to our findings in Shodan. While a device or system being exposed does not necessarily mean that it is vulnerable, it should not be viewable publicly.
Figure 1. Top 20 countries with DICOM servers exposed
Figure 2. Exposed graphical user interface (GUI) for patient record maintenance containing various PII
We also found exposed electronic medical records (EMRs). But what was more fascinating is how common it was to find pharmacy management software interfaces. This specialized software is used by pharmacies for various integrated management functions such as drug inventory, drug ordering, OTC management, narcotics tracking, patient data, patient prescription history, point-of-sale (PoS) transactions, drug insurance claims, prescriptions and refills, and label printing. We also found a patient scheduling or appointment system that contained the patients’ diagnosis information.
Figures 3. Exposed pharmacy management software GUI
Figures 4. Exposed pharmacy management software GUI
Another aspect of healthcare networks that we explored were threats to the hospital supply chain. Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity. In 2016, 30 percent of breaches were due to third-party vendor breaches.
Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyberattacks becomes a critical necessity.
To learn more about securing connected hospitals, our Shodan data results, and how we applied the DREAD Threat Model to healthcare, see our paper Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks.