Cybersecurity Report Finds ‘Healthcare Industry in Turmoil’

Researchers say hospitals rarely address the cyber threats to patient health.
Published: February 25, 2016

A Feb. 23 report outlined a series of glaring hacking vulnerabilities in the healthcare industry and found critical security issues that could threaten patient health.

For the report, Independent Security Evaluators conducted a hands-on analysis of 12 healthcare facilities, two healthcare data facilities, two medical devices and two web applications over two years using a patient health-focused attack model.

Researchers found that remote adversaries like hackers “can easily deploy attacks that target and compromise patient health.” Campus Safety has already reported on incidents where hospitals were the victim of ransomware and medical devices were hacked.

The report identified several industry pitfalls and shortcomings, including lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership and a misguided reliance on compliance.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

“One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective,” the report states.

RELATED: How to Confront the Cybersecurity Challenge

The report also found that the cyber security measures hospitals use often only address unsophisticated adversaries and ignore motivations and strategies that would be used to target specific patients by actors like terrorists, organized crime groups and even countries.

To test the industry’s security, the researcher used different “attack anatomies”  including (1) external attacks to manipulate active medical devices (2)lobby attacks to manipulate medicines/bloodwork workflows (3)electronic health record (HER) system compromise to issue improper treatment and (4) USB stick used to gain network foothold and manipulate medicine distribution, among many other techniques.

Some of these vulnerabilities were the result of a lack of funding and training, while others were due to technical problems like vulnerable network designs. In many cases, the network’s security installations were inappropriate for hospitals or deployed incorrectly.

To illustrate the threats to patient health, the researchers developed the Patient Health Attack Model, which identifies three “attack surfaces” that have direct consequences for patient health. The surfaces are listed below.

Primary attack surfaces:

  • Clinicians
  • Medicine
  • Active Medical Devices (AMD)
  • Surgery

Secondary Attack Surfaces

  • Patient Samples
  • Passive Medical Devices (PMD)
  • Electronic Health Records (EHR)
  • Test Results
  • Work Orders
  • Connected Power
  • Schedules
  • Inventory Systems
  • Sanitary Conditions
  • Procedure Precision
  • Time

Tertiary Attack Surfaces

  • Inventory Systems
  • Climate Controls
  • Environmental Controls
  • Physical Storage
  • Physical Transport
  • Barcode Scanners/ Printers
  • Connected Power
  • Laboratory Equipment
  • Clinicians

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series