Health Care Cybersecurity Hits Tipping Point

Once, the possibility of adversaries targeting medical devices seemed almost like a fairy tale. Sure, bogeymen could wreak havoc by targeting, say, networked hospital devices or utilities’ computers, but such possibilities seemed better suited for television plots than anything else.  

But a risk of health care cybersecurity began to grow harder to ignore roughly a decade ago when a string of researchers began to warn that a number of medical devices were vulnerable to cyber sabotage. In 2008, Kevin Fu, then an associate professor at the University of Massachusetts Amherst, demonstrated that pacemakers and implantable cardiac defibrillators were vulnerable to software radio-based attacks. In 2011, white hat hackers Jay Radcliffe and Barnaby Jack demonstrated vulnerabilities in a popular insulin pump model. A year later, Jack showed the feasibility of a pacemaker attack made famous in the Showtime series “Homeland,” while many insulin pump wearers took to hacking insulin pumps and continuous glucose monitors to enable new functionality.  

But at that same time, nation-state and terrorist organizations began to pay closer attention to health care and critical infrastructure as potential targets from a cyber warfare perspective, said Anura Fernando, chief innovation architect, medical systems interoperability and security at UL. In addition, organized crime is looking to health care and critical infrastructure for monetary gain for ransomware attacks. 

[IoT World is the global conference and exhibition that puts IoT, AI, 5G and Edge into action across industry verticals.]

And more recently, a growing number of hospitals have been targeted in ransomware campaigns, with some of them forced to delay patient care. Some institutions, such as the United Kingdom’s National Health Service, have inadvertently been swept up in broader ransomware attacks, such as WannaCry, which forced the institution to cancel 19,000 appointments. 

Fernando warns of the possibility that a terrorist organization could combine a cyberattack on health care infrastructure with a separate physical attack. In such an event, treatment of casualties from, say, a car bombing could be disrupted by a coordinated cybercampaign targeting nearby hospitals. Such an attack “could have much more devastating effects than it would if the health care system were operating properly,” Fernando said. 

Justin Fier, Darktrace’s director for cyber intelligence, said health care cybersecurity has reached a tipping point where breaches have begun to negatively impact patient care. The introduction of 5G could accelerate that trend. Fier said: “The question is: Are we as an industry even prepared for this 5G phenomenon, which is going to add connectivity to devices we never even thought connectivity would exist in?” 

Even before 5G becomes mainstream, there has been an uptick in the use of IT and IoT technology in health care in the United States was the 2009 American Recovery and Reinvestment Act along with efforts from the Office of the National Coordinator for Health Information Technology, Fernando said. At that time, there was a concerted push to deploy emerging technology to address health care’s biggest challenges. The top goals included reducing health care costs as well as improving the treatment of the elderly and those who weren’t close to health care providers. “All of those things accelerated the propagation of software-based and network-connectable healthcare technologies into this space,” Fernando said. And that, in turn, led to an increased attack surface. 

It’s perhaps not surprising then that attackers are taking advantage of the situation to attack everything from hospital workstations to CT machines. “One of our clients shut the entire wing down just because we found a number of open ports on [CT machines],” Fier said. Because the machines were connected to the patient network, an attacker who gained access to a CT machine could gain access to personally identifiable information. 

Hospitals have some of the most-difficult IoT infrastructure to manage from a security perspective because a significant number of devices are mobile. And then, a hospital is more difficult to physically secure than, say, a manufacturing plant. “That is something to think about in public institutions,” Fier said. “People are walking the halls who aren’t necessarily vetted.” Attackers in such a medical environment would likely have a plethora of soft targets ranging from unsecured networks to medical devices with open USB ports. “And then, of course, many hospitals are still utilizing FTP — File Transfer Protocol,” Fier said. He routinely shows customers in the health care industry how many physicians send out data using a non-HIPAA compliant transmission with patient information in the file name. “And that’s a scary thought when you think of nation-state access, scooping up the entire internet, you know, and looking at that data,” Fier said.  

While regulators, device makers and hospital IT staff have all made cybersecurity a priority, the health care landscape will likely continue to be an attractive target for cybercriminals, nation-states and other threat actors. “Contrary to what the U.S. government says about ‘not negotiating with terrorists,’ [employees in medical institutions] don’t necessarily have that choice,” Fier said. 

In terms of ransomware attacks directed at health care targets, the situation pressures hospitals to pay the ransom. “As long as they’re paying the ransom, [ransomware] is not going anywhere, anytime soon,” Fier said. 

If anything, trends popular in mainstream IT, such as the open-source movement and machine learning, could make ransomware more challenging to defeat. For one thing, the open-source ethos among cybercriminals has lowered the bar for attackers. The Mirai botnet of 2016, which shut down a portion of the internet, has given rise to a long list of variants thanks to its creators’ decision to make its source code available online. 

The same principle is at work with ransomware. “It doesn’t necessarily need to be a nation-state or APT that’s [behind ransomware],” Fier said. A lot of the libraries out there to do this stuff for open source. Now, you don’t have to be a major computing power to accomplish this anymore.” 

As far as machine learning and related technologies are concerned, Fier predicts cybercriminals to leverage chatbots for ransomware-related customer service operations. Criminals behind ransomware operations have provided professional customer service to aid victims in buying cryptocurrency. The use of “1-800 number help desk lines is a major security footprint for attackers,” Fier said. “I think you’re going to start to see them moving off of that model toward more of the natural language processing.” 

There are also signs that spammers are drawing on machine learning and natural language processing to make spam emails look more plausible. “We already see signs of that.” 

Fier also anticipates ransomware will ultimately spill over to the IoT realm. “What happens when a hospital gets attacked, but instead of hitting all the terminals, [attackers] only hit the IV pumps?” he asked. In such a scenario, a hospital would be coerced to pay a ransom quickly. “I think you’re going to start to see the ransomware get even more targeted than it already is,” he added. 

Such targeted attacks, within and outside of health care, are likely to be designed to inflict the greatest amount of inconvenience possible to accelerate their victim’s ransom payment. “I think ransomware is going to move into the residential space where you’ll come home after a long day of work, and your thermostat or your door locks are going to be locked out,” Fier said. 

“I think we’ve only seen the tip of the iceberg on the ransomware phenomenon,” he concluded. “As long as it’s profitable, I think you’re going to continue to see it grow and morph and change and become more and more advanced.”