Medicine under fire: why it’s so easy to hack a hospital and what we can do about it

Ransomware continues to threaten many organisations, as well as individuals. To put this into perspective, in 2015 alone, ransomware programs were detected on computers belonging to 753,684 Kaspersky Lab users; and 179,209 computers were targeted by encryption ransomware.

The worrying thing is, it’s not just enterprises and consumers that are being targeted by ransomware – attacks on hospitals are forming a very worrying trend. Even more so when reports suggest that hospitals have actually paid the ransom.

As technology improves, medical equipment is becoming more complex and interconnected, and hospitals are swiftly being filled with these devices. However, cybersecurity has not typically been among the top priorities for medical equipment manufacturers.

> See also: 87% of healthcare organisations are putting patient data at risk

These devices inevitably have security holes; and if there are bugs and vulnerabilities, breaches will continue to happen. Security firm Kaspersky Lab recently highlighted some of these vulnerabilities.

There are ways that the healthcare industry can protect their patients, as well as organisations, but what does the industry need to consider?

Why are hospitals vulnerable and what can go wrong?

You may wonder why hackers would target the healthcare industry and exactly how they would benefit from this.

There are a range of motives for all kinds of cyber-attack, ranging from financial gain, the desire to make a social or political point, cyber-espionage or even, potentially, cyber-terrorism. In the case of medical devices, such an attack could be highly targeted.

For example, altering the dosage or combination of medicines, to cause harm to a specific individual, would in turn damage the reputation of the company who has developed the device or the medication.

What is clear is that hacking the medication process would cause significant disruption and possibly endanger lives. And fixing flaws in medical devices may be far from easy.

For example, with pacemakers, if a vulnerability is found then it may not be possible to roll out a patch, as you could for a smartphone or PC. So it may be very difficult to secure these devices once implanted, as the whole thing may need replacing – a costly and logistically difficult process.

Cyber-criminals can exploit software vulnerabilities to steal patients’ data or infect the network with malware. Hackers can also alter the data in the patients’ electronic health records: turn a healthy person into a sick one or vice versa.

They can change some test results or dose strength – and that can seriously damage patients’ health. It’s also possible to adjust medical devices in the wrong way and thereby break expensive equipment or – once again – hurt the patients who undergo treatment with the help of these machines.

How can the healthcare industry protect its patients?

There are two groups of people who need to be answering this question – the developers of medical equipment and the hospital management boards.

Developers should test their devices for security, search for vulnerabilities and ensure they are all patched in a timely fashion. Meanwhile, management groups should care more about their network security and be certain that no critical infrastructure equipment is connected to any public network. The truth of the matter is that both groups need cyber-security audit checks.

Sadly, all too often it's not until something bad happens that companies take security seriously. But when it comes to risks that could endanger lives, it's essential that security is implemented at the design stage of a product or device – before it's rolled out for public use.

> See also: Why the healthcare industry badly needs a cyber security health check

But more than this, the healthcare industry can protect us from cybercrime by questioning the level of connectivity built into a system. Connectivity offers great convenience, but if it's indiscriminate it also gives hackers the chance to undermine the process.

If connectivity is a must, it should be implemented with security in mind: the device should carefully monitor connections, looking for anything out of the ordinary that might indicate a threat.

The future of healthcare industry hacking

We're on the brink of a world where everything is connected – not just traditional computers, but everyday objects and even humans. This offers great promise, the chance of a bright future that brings with it a better quality of life.

This is true especially in the sensitive areas of healthcare, with sophisticated medical devices enhancing the lives of disabled, sick and the elderly – extending the biological capabilities of our bodies.

However, while all this can improve our lives, we shouldn't ignore the potential downside. Connectivity can be abused and the world of everyday connected objects opens up new attack vectors – not only, as now, threatening our computers, but even our lives.

In recent years, there have been reports of vulnerabilities in several medical implants, such as pacemakers and insulin pumps. It's vital that developers find ways to secure such devices, to ensure that we reap the benefits without putting ourselves at risk.

Sourced from Sergey Lozkhin, Senior Security Researcher, Kaspersky Lab

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach