- While ransomware attacks on hospitals have caught the headlines, medical device security and supply chain risk should be of greater concern to healthcare providers, according to a recent report by Trend Micro and HITRUST entitled Securing Connected Hospitals.
Researchers at Trend Micro analyzed internet-connected medical devices and systems using the Shodan search engine and found many that were viewable publicly.
Hospitals and clinics leave devices and systems exposed online because they incorrectly configure infrastructure, internet connection is a requirement for the device or system to function, and/or remote access enables remote troubleshooting or remote operations.
The report noted that exposed devices and systems could be used by cybercriminals to penetrate networks, steal data, run botnets, and install ransomware.
The type of exposed data that the researchers were able to locate using the Shodan search engine included medical images, protocols, databases, industrial controllers, and healthcare systems software.
“Since an exposed device is reachable and visible to the public, attackers can take advantage of the available information about the machine either via Shodan or by directly profiling the machine using a variety of network tools such as nmap in order to collect information on the device (including the potential vulnerabilities of the said device) and use that information to mount an attack on it,” the report explained.
“Threat actors could get access to sensitive data, including webcam feeds; use access to move laterally through the network to commit espionage, sabotage or fraud; or compromise exposed cyber assets to launch DDoS [distributed denial of service] attacks, become part of botnets, host illegal data, or hold hostage for ransom. Furthermore, cyber assets that operate critical infrastructure can jeopardize public safety if compromised,” report authors added.
By exploiting healthcare systems software, hackers could gain access to critical and sensitive healthcare data, including protected health information (PHI). They could either steal the information and sell it on the black market or encrypt it and demand a ransom for the decryption key.
The researchers found electronic medical records (EMRs), electronic health records (EHRs), and pharmacy management software exposed on the internet.
“Threats against hospital information systems, like DDoS, vulnerability exploitation, and malware infection, are high risk because they directly impact all hospital users and are easy to implement given the systems are typically off-the-shelf platforms,” the report warned.
In addition, hospitals are being breached through vulnerabilities in their supply chain, particularly their third-party vendors. In fact, 30 percent of all breaches reported to HHS were due to security missteps by business associates and third-party vendors, the report noted.
The report detailed areas of concern for hospital supply chains: medical product, medicine, and supplies manufacturers; distribution centers; shipping and transportation companies; supplier, vendor, contractor, or hospital staff; mobile health apps; and outdated and unpatched medical equipment firmware.
The report recommended that hospitals and other healthcare providers employ the National Institute for Standards and Technology’s Cybersecurity Framework to help reduce supply chain risk. Section 3.3 includes terminologies that organizations can use to communicate security requirements to supply chain participants.
The report also recommended that hospitals put several security measures in place: network segmentation, firewalls, unified threat management gateways, anti-malware and anti-phishing software, breach detection systems, intrusion prevention and detection systems, data encryption, patch management, vulnerability scanners, deception technologies, and Shodan scanning.
In addition, IT staff should be well trained and provided with sufficient resources to defend the organization, an incident response protocol should be put in place, and all employees should receive training to recognize and avoid social engineering attacks.
“Healthcare IT teams must understand that, in order to cover these weaknesses in the supply chain, they must establish a strategy that identifies all the third parties that the hospital or clinic directly interacts with and regularly review these relationships based on pre-established risk-based standards, making recommendations or terminating use of their services if necessary,” the report advised.
“Cybersecurity should be given adequate priority by hospital administration and IT teams as it is unacceptable for patients’ health to be jeopardized by the actions of profiteering and/or malicious hackers,” the report concluded.