Barely a day goes by when the news isn’t haunted by a cyber attack. Between Sony, Carphone Warehouse and Ashley Madison, the past year has had an astounding number of high-profile attacks that have compromised significant amounts of sensitive data.
The healthcare sector is no stranger to cyber attacks. The Community Health Systems (CHS) breach earlier this year showed how Chinese cyber-military units are targeting healthcare providers to commit cyber-espionage for information on pharmaceutical trials and medical devices.
Other cybercriminals are stealing individuals’ health information and then selling it on the black market either to enable health insurance fraud or to blackmail people.
While the NHS and UK-based private healthcare providers are yet to face a hack of the magnitude of the CHS breach, the Information Commissioner’s Office reported last December that breaches in Britain’s healthcare sector have doubled on those reported in 2013.
Veracode’s own research into NHS hospitals and trusts’ cyber security spending found many have significantly increasing their spending in recent years: Yeovil District Hospital NHS Foundation Trust, for example, has increased its cyber security spending by fivefold over the past two years.
But the number of cyber security challenges that hospitals face are growing exponentially.
The diagnosis for hospitals
Hospitals have an increasing number of internet-enabled devices, all of which are hackable end points. And the vast developments in healthcare Internet of Things (IoT) devices have presented an even greater challenge and responsibility to the cyber security industry.
Some connected devices, when infiltrated by a malicious agent, now pose a threat to people’s personal health and safety.
Earlier this summer, the potential threat of connected devices used in healthcare was brought to light after independent cyber security researcher Billy Rios announced that hospital drug pumps produced by Hospira, a leading medical supplier in the US, could be hacked due to vulnerabilities.
In a blog post, he précised that he had found that drug library updates – the lower and upper limits for the dosage of medicine that a patient can safely receive – could be changed remotely.
This led the US Food and Drug Administration (FDA) to take a previously unprecedented stance of strongly discouraging hospitals from using this brand of drug pump over fears of hacking.
This case demonstrates the significant threat that connected devices pose to patient care if they are infiltrated by a malicious agent. Hospitals now have a lot more cyber threats to grapple with – it’s no longer just data but lives on the line.
The symptoms of bad security
It isn’t just connected devices in hospitals that pose a threat to our physical wellbeing. Veracode’s recent research into the security of consumer IoT devices demonstrated the dangers that some devices pose, with a few of the products tested having the potential to facilitate physical intrusion of their homes and stalking.
For example, data exfiltrated from the Ubi could enable cybercriminals to know exactly when to expect a user to be home – based on when there is an increase in ambient noise or light in the room – which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex.
The research found that designers tend not to be focused enough on security and privacy, and as a result are putting consumers at risk for a cyber attack or physical intrusion. Whilst for consumer devices this may be less surprising due to the lifespan of these devices, such negligence is beyond unacceptable for healthcare devices.
What is most worrying about the Hospira drugs pump case is not that this vulnerability exists, but that it has been claimed that the security flaw had still not been fixed when it was announced to the press – despite Hospira having been made aware a year earlier.
>See also: How do you solve a problem like cybercrime?
An infected limb is not left to fester at risk to the health of the rest of the body – nor can a vulnerability be left, jeopardising the data collected by or functionality of the device. And when known vulnerabilities are left at large, it is pure negligence on the part of the device producer.
Innovation and discovery have always been at the heart of medicine. There have been some mistakes made along the way, but those learned from have resulted in better procedures and medication. In the same way, hospitals must we learn from cases like the Hospira drugs pump and ensure that future development in connected devices in healthcare are built with security in mind.
It is essential that IoT security is looked at holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built with security as a default.
Security can’t be treated as a bolt-on, or we will not only put our sensitive information on the line, but also leave ourselves open to physical harm.
Sourced from Chris Wysopal, CTO, Veracode