Up until now, healthcare cyber security has been focused on protecting patient data, ensuring HIPAA compliance, and, more recently, protecting systems from ransomware attacks. However, as healthcare technology advances, a new threat is emerging: the potential for hackers to attack smart medical devices such as insulin pumps and pacemakers. If IoT security is not taken seriously, innovation will be stunted and, in the case of healthcare, lives will be lost.

What is the Internet of Things?

The Internet of Things (IoT) refers to the growing number of “smart,” internet-connected devices that are infiltrating every part of our lives, such as fitness wearables, smart TVs, connected cars, smart thermostats, and even smart buildings. Business Insider estimates that over the next five years, $6 trillion will be spent developing IoT technology, and by 2020, 24 billion IoT devices will be in use.

The healthcare industry, which has historically been slow to implement new IT technology, has enthusiastically embraced IoT devices, which can be wearable (such as a fitness monitor) or implantable (such as an insulin pump). Allied Market Research predicts that the world IoT healthcare market will reach $136.8 billion by 2021, more than doubling its $60.4 billion value in 2014.

Despite this rapid growth, IoT security is severely lacking. IoT devices may be smart, but they have far weaker security controls than regular computers. IoT passwords are often hard-coded and freely available online, and some devices are very difficult to patch or update. There are a myriad of device manufacturers, with more entering the market every day – but no common security controls or best practices, and no procedures to track devices as they move through the supply chain from the manufacturer to the end user. This results in IoT devices having numerous vulnerabilities that are just waiting to be exploited.

IoT security vulnerabilities aren’t purely hypothetical. Recently, cyber security experts demonstrated how Nest’s smart thermostat and Ring’s smart doorbell could be breached and turned into entry points into a home network. (Ring’s manufacturer has since issued a firmware update to address the vulnerability.) While there have been no reported attacks involving either device, logically, it’s only a matter of time before an IoT device is targeted.

And if hackers can get into thermostats and home security devices, why couldn’t they breach a pacemaker or an insulin pump? Especially since someone has already done it.

Healthcare IoT Security: The Next Ransomware Threat

As we’ve reported in previous blogs, the healthcare industry has suffered from a number of major ransomware attacks in the past few months, beginning in February, when Hollywood Presbyterian Hospital, after being locked out of their system for a week, paid hackers the equivalent of $17,000.00 in Bitcoin to get back in. Some security experts feel that by caving in and paying up, the hospital inadvertently proved to hackers that using ransomware to attack healthcare facilities means fast money. If a hospital will part with large sums of money to get back into its computer system, how much would a patient be willing to pay to keep a life-sustaining medical device working?

Again, such a scenario is not hypothetical. TechTarget reports that two patients in a hospital in Austria figured out how to hack into their own medication infusion pumps because they felt their pain was not being managed properly. Frighteningly, to get in, the patients simply went online, looked up the hard-coded passwords for their pumps, then used them to log in and adjust their doses. The patients ended up overdosing and suffering respiratory problems.

If a layperson with no computer science training can manage to figure out how to hack into an IoT medical device, imagine what a money-motivated hacker with advanced technical skills could accomplish. A hacker could access a pacemaker or an insulin pump, begin draining the battery, and refuse to stop until the victim pays a ransom. The only obstacle would be determining how to deliver the ransom demand to the victim, but with reams of personal information easily available online, it would not be difficult for a hacker to obtain a victim’s mobile phone number or email address and use these to deliver the ransom demand.

What Can Healthcare Providers Do to Protect Patients?

The recent ransomware attacks on medical facilities have proven that hackers have no regard for human life and are fully willing to put fragile patients at risk in their quest to make a quick buck. The healthcare industry needs to take IoT security every bit as seriously as other forms of cyber security, and industry leaders must put pressure on IoT device manufacturers to establish security controls and best practices, such as eliminating hard-coded passwords and ensuring that IoT devices are as easy to patch and update as computers and mobile phones.

Healthcare facilities can take proactive security measures right now by developing a robust information security policy to include security awareness among all healthcare personnel and, from a technical perspective, continuous monitoring of systems so that baseline user patterns can be determined and deviations that may indicate possible attacks can be detected.

In addition to establishing an internal culture of security awareness, implementing a solid security plan, and monitoring systems for suspicious activity, it’s a good idea for healthcare facilities to enlist the services of a professional cyber security firm such as Continuum GRC. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from attacks. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help you protect your facility from ransomware attacks and data breaches.

Schedule some time with our Superheroes for a Free Assessment!

In a previous blog, we provided a primer on HIPAA compliance and discussed the importance of complying with this complex federal law, which is geared toward protecting patients’ private health information (PHI). While healthcare providers and healthcare industry vendors cannot afford to ignore HIPAA, a new threat has emerged and is poised to become much bigger: ransomware attacks on hospitals and healthcare providers that are not seeking to breach patient information but instead render it inaccessible until the organization pays a hefty ransom.

In just the past few weeks, the following major ransomware attacks on healthcare facilities have occurred:

• In February 2016, hackers used a piece of ransomware called Locky to attack Hollywood Presbyterian Medical Center in Los Angeles, rendering the organization’s computers inoperable. After a week, the hospital gave in to the hackers’ demands and paid a $17,000.00 Bitcoin ransom for the key to unlock their computers.
• In early March 2016, Methodist Hospital in Henderson, Kentucky, was also attacked using Locky ransomware. Instead of paying the ransom, the organization restored the data from backups. However, the hospital was forced to declare a “state of emergency” that lasted for approximately three days.
• In late March, MedStar Health, which operates 10 hospitals and over 250 outpatient clinics in the Maryland/DC area, fell victim to a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and began to gradually restore data from backups. Although MedStar’s hospitals and clinics remained open, employees were unable to access email or electronic health records, and patients were unable to make appointments online; everything had to go back to paper.

Likely, this is only the beginning. A recent study by the Health Information Trust Alliance found that 52% of U.S. hospitals’ systems were infected by malicious software.

What is ransomware?

Ransomware is malware that renders a system inoperable (in essence, holding it hostage) until a ransom fee (usually demanded in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. As opposed to many other forms of cyber attacks, which usually seek to access the data on a system (such as credit card information and Social Security numbers), ransomware simply locks the data down.

Hackers usually employ social engineering techniques – such as phishing emails and free software downloads – to get ransomware onto a system. Only one workstation needs to be infected for ransomware to work; once the ransomware has infected a single workstation, it traverses the targeted organization’s network, encrypting files on both mapped and unmapped network drives. Given enough time, it may even reach an organization’s backup files – making it impossible to restore the system using backups, as Methodist Hospital and MedStar did.

Once the files are encrypted, the ransomware displays a pop-up or a webpage explaining that the files have been locked and giving instructions on how to pay to unlock them (some MedStar employees reported having seen such a pop-up before the system was shut down). The ransom is nearly always demanded in the form of Bitcoin (abbreviated as BTC), an untraceable “cryptocurrency.” Once the ransom is paid, the hacker promises, a decryption key will be provided to unlock the files.

Unfortunately, because ransomware perpetrators are criminals – and thus, untrustworthy to begin with – paying the ransom is not guaranteed to work. An organization may pay hundreds, even thousands of dollars and receive no response, or receive a key that does not work, or that does not fully work. For these reasons, as well as to deter future attacks, the FBI recommends that ransomware victims not cave in and pay. However, some organizations may panic and be unable to exercise such restraint.

Because of this, ransomware attacks can be much more lucrative for hackers than actually stealing data. Once a set of data is stolen, the hacker must procure a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the information, who is not in a position to negotiate on price.

Why is the healthcare industry being targeted in ransomware attacks?

There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First is the sensitivity and importance of healthcare data. A company that sells, say, candy or pet supplies will take a financial hit if it cannot access its customer data for a few days or a week; orders may be left unfilled or delivered late. However, no customers will be harmed or die if a box of chocolates or a dog bed isn’t delivered on time. The same cannot be said for healthcare; physicians, nurses, and other medical professionals need immediate and continuous access to patient data to prevent injuries, even deaths.

U.S. News & World Report points to another culprit: the fact that healthcare, unlike many other industries, went digital practically overnight instead of gradually and over time. Additionally, many healthcare organizations see their IT departments as a cost to be minimized, and therefore do not allocate enough money or human resources to this function:

According to the statistics by Office of National Coordinator for Health Information Technology, while only 9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them were using certified electronic record systems in 2014.

This explosive growth rate is alarming and indicates that health care entities could not have the organizational readiness for adopting information technologies over such short period of time. Many of the small- or medium-sized health care organizations do not view IT as an integral part of medical care but rather consider it as a mandate that was forced on them by larger hospitals or the federal government. Precisely due to this reason, health care organizations do not prioritize IT and security technologies in their investments and thus do not allocate required resources to ensure the security of their IT systems which makes them especially vulnerable to privacy breaches.

What can the healthcare industry do about ransomware?

First, the healthcare industry needs a major shift in mindset: Providers must stop seeing information systems and information security as overhead costs to be minimized, realize that IT is a critical part of 21^st century healthcare, and allocate the appropriate monetary and human resources to running and securing their information systems.

The good news is, since ransomware almost always enters a system through simple social engineering techniques such as phishing emails, it is fully possible to prevent ransomware attacks by taking such measures as:

• Instituting a comprehensive organizational cyber security policy
• Implementing continuous employee training on security awareness
• Regular penetration tests to identify vulnerabilities

Continuum GRC feels that it is much better to prevent a ransomware attack than to attempt to deal with one after it has occurred, especially in a healthcare environment, where lives are at stake should patient data become inaccessible. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions helping companies all around the world sustain a proactive cyber security program. Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help you prevent your facility from becoming the next victim of a ransomware attack.