If your hospital or clinic uses a Windows 7-based version of a Siemens PET/CT or SPECT system, it could be vulnerable to attack by a relatively low-skill hacker, according to a July 26 security advisory from the company.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, also released an advisory on the vulnerabilities, each of which were scored at a “critical” level of 9.8 out of 10 on the Common Vulnerabilities Scoring System (CVSS). And just today, the FDA recalled 465,000 pacemakers after finding vulnerabilities that could let hackers reprogram the devices.
Both advisories note that the exploitability of these vulnerabilities depends on the organization’s configuration and deployment environment. In a network that lacks proper segmentation or other access controls, a successful hack of a medical device could open a portal into the larger network.
All of which brings us to the essential question: What havoc could a malicious actor wreak—not just on the device itself—but on the confidentiality, availability and integrity of your entire IT system?
A Matter of Life and Death
The game of overhyping cybersecurity risks for marketing purposes is one we try very hard not to play. However, we don’t think it’s overstating the case to say that vulnerabilities in medical devices can have fatal consequences. Former U.S. Vice President Dick Cheney knew that, which is why he had his wireless pacemaker disabled.
Most patients don’t have a high-profile target on their backs, but their medical records do. A single Medicare or Medicaid medical record commands up to $500 on the black market. Vulnerable medical devices can serve as a huge blinking arrow beckoning cyber thieves to this rich bounty.
Regulators take cybersecurity very seriously. CMS has hit HIPAA covered entities with multi-million dollar fines for privacy and security violations.
A task force convened by the Secretary of Health and Human Services stated in its June 2017 Report on Improving Cybersecurity in the Health Care Industry, “Health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”
The FDA issued recommendations for improving the security of connected medical devices. Among these nonbinding recommendations, the FDA urges, “Manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”
Follow Good Security Hygiene
Unfortunately, “security by design” remains the exception rather than the rule. But users of these devices can implement some “basic hygiene” measures to mitigate the impact of vulnerabilities such as those in the Siemens molecular imaging devices.
- Isolate medical devices from the EHR and the rest of the network. Imagine an intruder breaks in through your front gate only to find all the doors to your house unlocked. This scenario is frighteningly close to reality for many hospitals and clinics. When connected medical devices are hooked into the larger IT network, an attacker can gain access to the device and leapfrog easily to patients’ medical files and other valuable, sensitive data. In addition to a properly segmented network, other controls healthcare IT departments should strongly consider include locating medical devices behind firewalls and making them inaccessible from the public Internet.
- Implement patches as soon as they become available. Unfortunately, medical device manufacturers often don’t have the infrastructure to identify vulnerabilities and issue patches. Even when manufacturers do issue patches, the IT departments of resource-strapped hospitals and clinics may not get the message.
- Back up all systems regularly. A backup and system restoration process will not prevent a hacking incident, but it will minimize the consequences of a successful attack.
No matter your role, it is within your power to improve cybersecurity in your organization simply by asking the question, “What are we doing to prepare for a cybersecurity incident?”
Even if you don’t get a satisfactory answer, keep asking. The safety of your patients and the stability of your organization may depend on it.
For weekly insights into healthcare, please sign up here:
About the Co-Author
Brad Pierce is the director of network security for HORNE Cyber where he focuses on leading the advanced penetration testing teams.