Hospitals are risking patient lives by failing to protect critical computer systems that can be manipulated by attackers. In a scathing report that looks at the current state of hospital security, researchers say everything from bedside patient monitoring systems, automated drug dispensing machines to patient records are inadequately protected.
The findings are from Baltimore, Md-based firm Independent Security Evaluators who conclude that hospitals need to overhaul their security systems or risk patient fatalities. Researchers say they were able to hack hospital systems and devices along with disabling patient alarms designed to alert staff to a life-or-death health event.
“Hospitals are focused on things like HIPAA compliance and not enough on critical security vulnerabilities which, if exploited, could result in patient harm or fatality,” said Ted Harrington, executive partner with Independent Security Evaluators, in an interview with Threatreport.
In the study (PDF
), to be presented Tuesday at the RSA Conference conference in San Francisco, researchers reviewed the security protocol at 12 hospitals. It also looked at medical devices and healthcare data facilities. Part of the review included proof of concept hacks, with consent of all hospitals.
In one attack, researchers were able to hack into a hospital’s back-end network via a public information kiosk located in the hospital’s lobby. Nearly a dozen other security holes were exploited by researchers ranging from remote, local, and physical attacks.
“We were able to circumvent hospital perimeter defenses in several ways from a remote vantage point, primarily by compromising externally facing web applications,” said Stephen Bono, founder of Independent Security Evaluators. “Once we had control of those servers, we were now on the hospital network and had a ‘local’ vantage point.”
“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.
“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”
Researchers also baited hospital staff with malware infected USB sticks with the hospital’s logo. Eighteen drives were planted so staff would discovered them. Within 24 hours nearly all the USB drives were used at nursing stations which simulated the request of malware from a remote server, according to the report.
“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.
“Being local, grants a far wider field of options for an attack, but we were able to demonstrate these attacks are possible remotely, which is the worst case scenario,” Bono told Threatpost.
For the physical on-site attacker, exposed hardware device ports and open computers operating in patient rooms are nothing less than a candy shop of sweet attack surfaces. Many of these security failures come down to lax or absent business processes.
The healthcare industry has been fortunate, with no reports of fatalities related to a malicious hack. But, Harrington said, hospitals have been increasingly targeted by criminals. Earlier this month, the Los Angeles-based Hollywood Presbyterian Medical Center paid 40 bitcoins ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.
There have also been well documented vulnerabilities in devices such as insulin pumps. Last August, the U.S. Food and Drug Administration recommended that hospitals stop using a medical device that it said were vulnerable to hackers.
Independent Security Evaluators maintain hospitals need to overhaul how they approach security starting with recognizing accountability within the entire healthcare ecosystem. “Hospitals are the ones on the hook when it comes to security and patients,” Harrington said. But patient safety relies on best practices starting with outside system integrators, software developers, device manufacturers and cloud service vendors, he said.
“The irony is hospitals are so careful about everything from washing hands, HIPAA compliance to making sure patients get the best care possible,” Harrington said. “But when it comes to security, the number of vulnerabilities are eye popping.”
“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” the team said.
“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”
Hospital information security is “drastically” underfunded, training flawed at all levels, networks are insecure, and policy and audits largely absent and at best flawed when they do exist.
The facilities had vendor security that is not only inappropriate but poorly implemented, the researchers said, and was rife with vulnerabilities, or operating alongside in-house technology peppered with flaws.
“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”
Hospitals that participated in the study acknowledged their security shortcomings, Harrington said. But many of them lacked the budget and know-how to tackle the problem fast and effectively. Independent Security Evaluators recommend hospitals assess threats, understand risk and train staff to identify and avoid vulnerabilities. Next, hospitals need to develop a long-term plan with actionable short-term goals.