Lack of cybersecurity draws hackers to hospitals

[Inga Goddijn <inga () riskbasedsecurity com>]

http://gulfnews.com/gn-focus/special-reports/health/lack-of-cybersecurity-draws-hackers-to-hospitals-1.1637783

Imagine if simply typing "password123" into a computer did not open your
email account, but an internet-connected medical device responsible for
feeding you drugs or monitoring your blood oxygen or insulin levels.

It may sound like the nightmare stuff of fiction, but the lack of basic
cybersecurity on hospital equipment is attracting hackers who want to use
them as a way to enter medical networks. Experts say that while they have
not yet seen someone die as a result of hacking, the risks are growing.
Motives for attacks could range from wanting to harvest patient information
or stealing intellectual property from medical trials to simply wanting to
create chaos.

*The diagnosis*

Devices with default passwords that are left unchanged, and outdated
operating systems that are connected to the network, such as medical
databases, are all too common in health care, says Greg Enriquez, chief
executive of TrapX, the cybersecurity company that works with hospitals
around the world.

The company has found security flaws in a blood gas analyser, a medical
image system and radiology equipment. "We have found active malware,
different strains of malware, we even found [non-activated] ransomware on
one medical device [which could give the hacked the ability to prevent the
device from working when it is in use]," Enriquez says.

With PwC, the professional services firm, forecasting that the market for
internet-connected healthcare products will be worth about $285bn by 2020,
the security of medical devices is becoming a priority for manufacturers,
hospitals and patients.

Regulators are also paying attention. The US Food and Drug Administration,
the US regulator that has oversight of medical devices and approves their
use, issued its first warning this year that a device could be tampered
with by hackers.

*The cure*

The FDA strongly encouraged health care facilities to stop using the
Hospira Symbiq infusion pump used to give drugs and pain medication, even
though there had not been any reports of criminals accessing the device.
Hospira removed the pump from the market and said it has strengthened cyber
security on new pumps it is developing.

The FDA has also been running workshops for manufacturers - the next one is
in January - to push for "a total product life-cycle approach, from design
to obsolescence", says Suzanne Schwartz, a director at the Center for
Devices and Radiological Health at the FDA.

"This means building security early on in the design phase, addressing
security in the premarket submission for new products, and ongoing
post-market surveillance with proactive vulnerability management," Dr
Schwartz says.

"The reality is that bad actors intentionally look for ways to overcome
cyber-security safeguards, so we always work to stay one step ahead and to
take aggressive steps to stop this criminal behaviour," she adds.

Wes Weinberg, a researcher at Synack, a cyber security company, says: "To
me, it is a sector very much like the critical infrastructure industry,
with a few major manufacturers and a lot of devices. So really it is just
now a waiting game [until some are hacked]."

Mr Weinberg believes hospitals are in a powerful position to force change
in the industry because device manufacturers will only spend the time and
effort on providing what their customers want.

How hospitals and other medical providers use devices and connect them to
networks will also affect how tempting they are to hackers.

Rick Judy, a principal in PwC's health industries advisory practice, says
as the vulnerabilities in these devices are "significant" and "pervasive",
the question is how many criminals have a strong motive to attack them.

He says that everyone, from the hospital IT department to doctors and
nurses on the wards, needs to learn how complex and accessible the software
on medical devices has become.

"Each provider needs to carefully examine for themselves what types of risk
are being brought in by new devices. They will have to give careful
consideration to making sure they are kept up to date, behind firewalls and
in networks segmented off from key medical and personnel data," he says.
"They will also have to make sure these devices don't have simple default
passwords."

-* Financial Times*

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!