;

Cybersecurity Report Finds ‘Healthcare Industry in Turmoil’

Researchers say hospitals rarely address the cyber threats to patient health.

A Feb. 23 report outlined a series of glaring hacking vulnerabilities in the healthcare industry and found critical security issues that could threaten patient health.

For the report, Independent Security Evaluators conducted a hands-on analysis of 12 healthcare facilities, two healthcare data facilities, two medical devices and two web applications over two years using a patient health-focused attack model.

Researchers found that remote adversaries like hackers “can easily deploy attacks that target and compromise patient health.” Campus Safety has already reported on incidents where hospitals were the victim of ransomware and medical devices were hacked.

The report identified several industry pitfalls and shortcomings, including lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership and a misguided reliance on compliance.

“One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective,” the report states.

RELATED: How to Confront the Cybersecurity Challenge

The report also found that the cyber security measures hospitals use often only address unsophisticated adversaries and ignore motivations and strategies that would be used to target specific patients by actors like terrorists, organized crime groups and even countries.

To test the industry’s security, the researcher used different “attack anatomies”  including (1) external attacks to manipulate active medical devices (2)lobby attacks to manipulate medicines/bloodwork workflows (3)electronic health record (HER) system compromise to issue improper treatment and (4) USB stick used to gain network foothold and manipulate medicine distribution, among many other techniques.

Some of these vulnerabilities were the result of a lack of funding and training, while others were due to technical problems like vulnerable network designs. In many cases, the network’s security installations were inappropriate for hospitals or deployed incorrectly.

To illustrate the threats to patient health, the researchers developed the Patient Health Attack Model, which identifies three “attack surfaces” that have direct consequences for patient health. The surfaces are listed below.

Primary attack surfaces:

  • Clinicians
  • Medicine
  • Active Medical Devices (AMD)
  • Surgery

Secondary Attack Surfaces

  • Patient Samples
  • Passive Medical Devices (PMD)
  • Electronic Health Records (EHR)
  • Test Results
  • Work Orders
  • Connected Power
  • Schedules
  • Inventory Systems
  • Sanitary Conditions
  • Procedure Precision
  • Time

Tertiary Attack Surfaces

  • Inventory Systems
  • Climate Controls
  • Environmental Controls
  • Physical Storage
  • Physical Transport
  • Barcode Scanners/ Printers
  • Connected Power
  • Laboratory Equipment
  • Clinicians

About the Author

Contact:

Zach Winn is a journalist living in the Boston area. He was previously a reporter for Wicked Local and graduated from Keene State College in 2014, earning a Bachelor’s Degree in journalism and minoring in political science.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


Get Our Newsletters
Campus Safety Director of the Year