Kaspersky Lab conducted a series of studies designed to demonstrate weaknesses in the protection of IT infrastructure of modern medical institutions. Their cause has been the rapid growth in the number of cyber attacks committed on hospitals and the number of malicious hacking of medical equipment. Let’s take hospital as an example: Kaspersky experts have shown how easy it is to hack internal networks of a medical institution and gain access to the repository of patient’s personal and clinical data (EHRs).
Let’s note that the hacking of the medical equipment is not only a serious threat to the financial condition of the medical organization, but can also pose a substantial threat to the health and even lives of its patients. After breaking in the hospital’s database, cyber criminals can not only steal confidential and sensitive data, but also falsify the results of the diagnostic study or even change the layout of the patient’s treatment, which can lead to deterioration of his condition.
Who is affected?
2016 scored a significant number of incidents connected with hacking of hospitals and medical equipment. For instance, Hollywood Presbyterian Medical Center was seriously attacked by hackers; criminals seized the main server of the Medical Center and demanded a ransom of $3.6 million.
“In the interest of the medical establishment, it was decided to pay a ransom of 40 bitcoin, which is currently estimated at $16,664 to quickly restore our system and administrative functions”, – says Allen Stefanek, Head of the Center.
Later, Methodist Hospital reported on the infection of its own computer systems with malware and announced the red danger level. Attackers managed to gain access to the server that stores all of the hospital data, including information about patients and financial transactions. In this case, all files were securely encrypted by virus. To provide a key to unlock the system, hackers asked for a ransom of 4 bitcoin, an equivalent to approximately $1.6 thousand. Hospital staff had to go back paper files for the duration of the incident.
In Germany, hackers paralyzed the computer system of one hospital in the city of Neuss. The work with documents was completely blocked. In addition, doctors had to cancel all operations and procedures which use digital equipment.
It is worth noting that all of these incidents occurred in the first two months of 2016.
What’s the matter?
According to the conducted study, you can easily find thousands of medical devices vulnerable to hacker attacks because use an insecure Internet connection. Most devices such as MRI scanners, ultrasound machines, cardio equipment, and X-ray installations are full-fledged computers often running on outdated software. Accordingly, such devices have dozens of unpatched vulnerabilities, allowing to easily break the system remotely.
Hackers can also connect to the local network of a medical organization directly, for example, through a poorly protected Wi-Fi. At the same time within the network of medical institutions any differentiation of rights between devices is rarely provided and cybercriminals can easily gain access to any of them.
Sergey Lozhkin, senior antivirus expert at Kaspersky Lab, notes that medical institutions should focus as much as possible on issues of cybersecurity:
“It is sad but true that attacks on medical facilities are made more often. This means that the effectiveness of medical technology now largely depends on how reliably they are protected. Security issues are becoming key in the development of medical equipment and need to be addressed at an early stage – protection must be embedded. Companies engaged in information security can help with this. It is important to understand that in the case of medical device security protection is required against external attacks, as well as inside the local network.”
He stresses that medical equipment manufacturers and hospitals’ IT specialists should pay special attention to the issues of cybersecurity, as medical institutions are now among the the key targets for cybercriminals.
This year, the world will face an increasing number of attacks on medical facilities, including targeted attacks, infection with extortionist apps, DDoS attacks, and even attempts of physical decommissioning of medical equipment.
What to do?
It is worth noting that the global industry has finally paid attention to this problem. As a result, the American experts have already called malware for medical devices the biggest cyberthreat in 2016.
The US Food and Drug Administration (FDA) issued a draft guidance that describes the measures to be taken by manufacturers of medical systems to ensure an adequate level of protection against cyber threats, and improve patients’ safety and quality of healthcare in general.
Now similar documents should be developed and implemented by all countries and medical equipment manufacturers should start the removal of weakly protected elements from the software.