“My computer network has come under attack”. It seems that almost every week a medical institution issues a statement to the effect that hackers tried to dig into its IT systems. Most of the time, they were successful. If you think your IT admin can solve the problem by setting up a proper firewall, you need to think twice.
One of the main entry points for hackers is medical devices, not IT equipment.
The cyber threat is so real that in July, for the very first time, the FDA asked hospitals to stop using an infusion system for cybersecurity reasons. According to the agency, “Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
— FDA Medical Devices (@FDADeviceInfo) July 31, 2015
To understand why and how medical equipment is under attack, we interviewed Greg Enriquez, CEO of TrapX, a cybersecurity company that studied this specific problem.
MedicalExpo e-magazine: How did you identify infected equipments in hospitals?
Greg Enriquez: We use deception technology. TrapX is an advanced cyberthreat solution identifying if people are attacking your network. What we do is that we set up a fake network, with fake devices, and we put these fake systems in hospitals.
An Infected Blood Gas Analyzer
ME: And they were attacked?
GE: Oh yes. And equipment served as the main entry point for malware. Most of the time, hospitals think their medical devices are secluded but most of the time it’s far from being true. We had for example a blood gas analyzer infected by malware granting full access to patient data.
With our system we can also identify information exiting the hospital network. This information is what attackers are looking for.
ME: Why are hackers specifically looking for medical data? What can they do with it?
GE: For their value. Because they have an expiry date and because they become useless as soon as users notices something is going wrong with payments, credit card data are much less interesting.
Medical data are lasting, personally identifiable information. As of today, medical data are 50 times more valuable for hackers than credit data.
One Security Hole Can Be Used by Many
ME: How risky is it to have malware in your hospital? Are there known health issues?
GE: I have personally not heard about a single health incident due to cybersecurity.
There are various kinds of malware, and they not pose the same level of risk. There is commodity malware, a sort of sleeping threat. There are botnets. And there is malware made to be directly used by the attackers.
Now, what you need to have in mind is that, once a network has been infected with malware, this security hole can be used by many. Someone may be trading unauthorized access to your network.
ME: What kind of countermeasures can be implemented?
GE: You need to separate networks. That may seem obvious but we’ve seen a lot of medical institutions where it’s not the case. For example, an Internet administrator had access to all the medical devices.
That said, the first thing you need to do is to create good relationships with medical device providers. There is still work to do on their side but they seem to understand the importance of cybersecurity.