UltraHack: The Security Risks of Medical IoT
IoT devices make our lives easier. Smart home technology, for example, can help users improve energy efficiency by enabling them to turn appliances on and off with the tap of a touchscreen. Likewise, organizations across all industries have also rapidly adopted them to improve operational efficiency. However, in our recent report into Cloud, Mobile and IoT platforms, IoT devices were recently identified as one of the weakest links in an IT network.
Why is this?
- IoT devices are often built on outdated software and legacy operating systems that leave them vulnerable to attack.
- IoT devices are increasingly collecting and storing vast amounts of data which makes them an attractive target for cyber criminals.
- IoT devices serve as an easy entry point for attackers looking to move laterally across an IT network and gain access to more sensitive data. Alternatively, the device could be attacked directly and shut it down to highly disruptive effect.
The healthcare industry is one industry in particular that has moved towards the Internet of Medical Things (IoMT) in a big way. By some estimates, 87% of healthcare organizations will have adopted IoT technologies by the end of 2019 and there will be almost 650 million IoMT devices in use by 2020.
Take ultrasound machines, for example. Ultrasound technology has made huge advancements over recent years to provide patients and doctors alike with detailed and potentially lifesaving information. Unfortunately, though, these advancements have not extended to the IT security environment in which these machines sit, are now connected to and transfer images within.
Check Point Research recently highlighted the dangers this could pose by getting their hands on an ultrasound machine and investigating what takes place under the hood. They discovered the machine’s operating system was Windows 2000, a platform that, like most other IoMT devices, no longer receives patches or updates and thus leaves the entire ultrasound machine and the information it captures vulnerable to attack.
Due to old and well known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images.
Video Demo of Hacking an Ultrasound machine
The Financial Motivation for Attack
Cyber attacks on hospitals occur on an almost weekly basis. The latest example being that of a ransomware attack on the Melbourne Heart Group which saw the hospital’s data scrambled by hackers and held to ransom. Other significant attacks seen last year include Singapore’s health service, SingHealth, suffering a massive data breach that saw the Prime Minister’s health records stolen followed by 1.4 million patient records stolen from UnityPoint a few weeks later. In addition, May 2017 saw the massively disruptive WannaCry attack that caused 20,000 appointments in the UK’s NHS to be cancelled and over £150 million spent on remedying the attack. Interestingly, it was unpatched Windows systems that lead to such damage.
However, it is primarily not mass disruption that motivates cyber criminals to target the healthcare industry. Due to the vast amounts of personal information that hospitals and other healthcare organizations store and transfer electronically, these institutions make for attractive targets to attack. This valuable data can be used to obtain expensive medical services and prescription medications, as well as to fraudulently acquire government health benefits. It is no wonder then that this information can fetch as high as $60 per record on the Dark Web.
Although there are many articles describing the personal danger of cyber attacks to patients, the financial damage is far more realistic and is what lies at the heart of cyber attacks on the healthcare industry.
According to the Ponemon’s Cost of Data Breach Study, at $408 per health record, the healthcare sector demands the highest cost by far to remedy a data breach. This stands in contrast to the average of $225 per record paid by other organizations. These costs include fees to investigate and repair the damage caused by an attack as well as paying fines or ransoms or any stolen funds themselves. Attacks can also result in a loss of patient records and information as well as cause long-lasting damage to the health institution’s reputation.
The Security Problem
The risk of a cyber attack on healthcare organizations is huge. Such attacks could lead to loss and sharing of personal data, altering a patient’s medical information regarding medicine, dosages, etc and hacking of MRI, ultrasound and x-ray machines in hospitals.
The critical nature of healthcare environments also means that many of those involved in the healthcare process often require immediate access to patients’ data across a large range of devices and applications. As a result,
downtime to update or patch systems is not an option that is easily afforded. In addition, this large range of medical devices from many different manufacturers makes for an IT security manager’s nightmare to not only monitor them but also integrate a security policy that incorporates them all.
From the hospital management’s perspective, downtime to update or patch systems not only affects the operational flow of the hospital itself but can also hit their financial bottom line too. Having spent very large amounts on important healthcare equipment, it is vital that management sees a return on their investment by having that equipment up and running in order to be able to cover their costs through claims from patients’ medical insurance policies.
From a regulatory point of view, the inherent vulnerabilities that come with operating healthcare devices, such as a lack of encryption of sensitive data as well as hard-coded or default login credentials, prevent IT professionals from even implementing security patches, should such patches even exist.
The Secure Solution
The above mentioned security vulnerabilities highlight the importance healthcare organizations must place on their IT security posture. While there are still issues and vagueness when it comes to security protocol standardization across Internet of Medical Things (IoMT) devices, there is still much that healthcare organizations can do to protect their patients’ data.
Healthcare organizations must remain alert to the multiple entry points that exist across their network. There can often be hundreds, if not thousands, of devices connected to the IT network, any one of which containing security vulnerabilities in either the hardware of software used by such devices. Catching every one of these vulnerabilities is impossible, however, so it is essential healthcare organizations have an advanced prevention security solution in place to catch the inevitable attacks that will attempt to exploit these vulnerabilities.
In addition, segmentation can never be overstated. Separating patient data from the rest of the IT network gives healthcare IT professionals a clearer view of network traffic to detect unusual movement that might indicate a breach or compromised IoMT device. Segmentation would also enable these organizations to prevent data stealing or encrypting malware from propagating further across the network and instead isolating the threat.
Finally, segmentation should also apply to healthcare personnel within the organization with access to those systems provided only to those who actually require them to carry out their roles.
Conclusion and Takeaways
The benefits that connected medical devices offer cannot be ignored. They provide patients and healthcare providers with potentially life-saving information and enable an efficient way of handling this information. However, healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach. Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions while providing another layer of security to network and data protection, without compromising performance or reliability.
Once best practice cyber hygiene is implemented and enforced, IT security teams can rest assured their patients’ records, and in turn their organizations’ finances and reputation, are safe.