Patient information is now worth more than credit card data on the dark web and hackers are increasingly using medical devices to infiltrate hospital networks.
Patient information isnow worth more than credit card data on the dark web and hackers are increasingly using medical devices to infiltrate hospital networks. A clinical engineering conference, hosted by the National Performance Advisory Group (NPAG), highlighted the threat posed to Trusts’ cyber security. Louise Frampton reports.
There is a major drive towards digitalisation within the NHS and Trusts will increasingly be scrutinised on their ‘digital maturity’ in the next few years – putting cyber security and IT connectivity at the top of the agenda. The aim is for patients to be able to access their own electronic health records, adding personal data from devices such as FitBit and enabling two-way interaction. At the same time, hospital-based monitoring devices are increasingly being linked directly into patients’ electronic patient records, with a view to becoming ‘paper-free at the point of care’.
Digital technologies and connected devices have the opportunity to increase efficiency and transform care for patients, but there are also challenges ahead for clinical engineers. Against a back-drop of increasing connectivity, digitalisation and interoperability, clinical engineers will need to increase their knowledge of IT networks, as well as cyber security for linked medical devices.
Many hospitals across the world have been hit by having their patient records encrypted, through ransomware, and attempts to sell stolen confidential data on the dark web marketplace have also been identified.1 Medical devices are particularly vulnerable to being exploited by attackers who wish to obtain remote access to hospital networks.
Speaking at the clinical engineering conference, Peter Smithson warned that internal and external threats can lead to a loss of use or the leakage of data, with the potential to result in high costs to the organisation. A consultant clinical engineer for CliniBizTech Solutions and a facilitator for the NPAG IT and Connectivity Group, Peter Smithson works closely with government, clinical engineering and Information Management and Technology (IM&T) departments, and was chairman of the Bristol Trust medical devices anti-malware working group.
He reported that serious cyber security incidents have already occurred at some Trusts in the UK and that the cost of tackling a breach and re-installing IT systems, in one case, was reported to have totalled £4 million over a period of a month.
“This is happening worldwide and it is coming to a Trust near you,” he warned.
“Patient data is worth 10-20 times more than credit card data on the ‘dark web’ – it is possible to blackmail a Trust, blackmail the patient, or simply hold the data for ransom. Medical devices contain this data in bundles.”
He explained that malware can get into the network in various ways. Modern medical equipment often contains a computer, has open USB ports and contains valuable personal details (e.g. patient ID, treatment or diagnosis details). This could range from a blood glucose monitor to a MRI scanner. Entry to the hospital’s IT systems can be achieved through malware that remains undetected in medical devices on the network. Peter Smithson explained that the malware ‘MEDJACK2’ targets older operating systems and devices – technologies that use XP, such as in radiology, are particularly vulnerable as this system is no longer ‘patched’ by Microsoft.2
“Hackers are targeting older devices at your Trust; they embed the software and use the devices as a ‘jumping off’ point to go and attack other areas of the Trust, while keeping themselves ‘undercover’. You may be infected already,” he commented.
During research, undertaken in 2016, cyber-attacks were identified at least 18 North American hospitals, some of which involved a variety of capital equipment and imaging systems, including a radiation oncology system, an x-ray machine, and a picture archiving and communication system (PACS).3 Vulnerable devices included diagnostic equipment, therapeutic equipment, life support systems, as well as technology using old operating systems and proprietary internal software.
“You don’t know if hackers are changing the parameters on critical medical devices or radiation doses, for example – this is the danger of these systems,” Peter Smithson commented.
In March 2016, SC Magazine reported that nearly 1,500 vulnerabilities were foundin automated medical equipment. Security researchers discovered flaws in outdated medical equipment still in use by some healthcare providers.4 These vulnerabilities could allow hackers to remotely exploit systems. Research carried out by Billy Rios and Mike Ahmadi used automated security scanning tools on a decommissioned device and found scores of bugs in equipment running customised versions of Windows XP.
Some 715 of the flaws in ‘automated supply cabinets used to dispense medical supplies’ had a severity rating of high or critical.
In addition, in May 2016, the journal reported that a US patient undergoing heart surgery was put at risk after anti-virus software started running on a computer monitoring the procedure.5 Peter Smithson added that he was aware of another incident in which a CT scanner suddenly stopped to perform an anti-virus scan, so the patient had to be scanned once again. This resulted in additional radiation exposure for the patient.
“So how do you control your anti-virus software? Who is responsible? Is it the clinical engineers, the radiology department, or IT? If you are going to have better antivirus protection, you will need to control how it operates,” Peter Smithson pointed out, adding that the configuration of systems and protection will require collaboration between departments.
Highlighting the findings of another report, he commented that nearly three-quarters of NHS Trusts said they had no cyber-security training programme for mobile devices, despite the fact that a similar number are using these mobile devices in the workplace.6 Staff are increasingly bringing in their own devices which pose a potential threat to the Trust’s systems, while patients and their relatives may also hack in to the WiFi, Peter Smithson warned.
To address the threats posed to healthcare organisations, the FDA hosted a public workshop on collaborative approaches to medical device cyber-security, which was followed by the publication of the document ‘Post-market Management of Cyber-security in Medical Devices Draft guidance’. Published in January 2016, the guidance outlines steps that manufacturers should take to continually address cyber-security risks with devices in order to better protect the public.
In the UK, NHS Digital was also commissioned by the Department of Health to develop a Care Computer Emergency Response Team (CareCERT). CareCERT is now tasked with offering advice and guidance to support health and care organisations to respond effectively and safely to cyber-security threats. NHS IT and clinical engineering staff can join the scheme, to send and receive alerts, by sending a request to: firstname.lastname@example.org
The National Data Guardian review of data security is also now underway, which is expected to produce a set of leadership responsibilities and data security standards – for example, a strategy must be in place for protecting systems from cyber threats based on a proven framework such as Cyber Essentials. Unsupported operating systems, software or internet browsers will not be allowed to be used within the IT estate.
Peter Smithson explained that, in the future, clinical engineers will need to seek permission to connect devices to the network, from the chief clinical information officer within their Trust – including when using medical device test software – and they will need to have an asset register of all the software and devices on the IT network.
Peter Smithson advised that Trusts can protect themselves by isolating medical devices inside a secure network zone and protecting this zone with an internal firewall that will only allow access to specific services and IP addresses. They should implement strategies to review and remediate medical devices; rapidly integrate and deploy software and hardware fixes provided by the manufacturers of medical devices; and ensure that devices are procured from suppliers only after a review with the manufacturer focusing on the cyber-security processes and protections.
Access to medical devices needs to be managed, especially through USB ports, while there also needs to be a strategy for managing the end of life of medical devices. He added that medical device supplier contracts need to be updated to cover support and maintenance, specifically addressing malware remediation, while Trusts should favour medical device suppliers that use techniques, such as digitally signed software and encryption of all internal data, with passwords that can be modified and reset. When a device is selected, information security teams should have the ability to test and evaluate suppliers independent of the acquiring department. In addition, Trusts should use technology that is designed to identify malware and persistent attack vectors which may have already bypassed its primary defences.
Ultimately, Peter Smithson pointed out that there are significant benefits to the increasing connectivity of medical devices and digitalisation of healthcare – from faster access to diagnostic results and telemedicine, to wellness tracking. However, there are also risks. “It is a ticking time-bomb and we need to be prepared,” he concluded.
1 ‘MEDJACK 2: Old malware used in new medical device hijacking attacks to breach hospitals’, Network World,27 June 2016)
2 Press release, 27 Jun 2016, ‘TrapX Labs discovers new medical hijack attacks targeting hospital devices’, accessed at: http://trapx.com/trapxlabs-discovers-new-medical-hijack-attackstargeting-hospital-devices-2/
3 TrapX, Anatomy of an Attack – Medical Device Hijack 2, June 2016, http://deceive.trapx.com/ WPMEDJACK.2_210LandingPage.html
4 Rene Millman, ‘Nearly 1,500 vulnerabilities found in automated medical equipment’, SC Magazine, 31 March 2016. Accessed at: https://www.scmagazine.com/nearly-1500vulnerabilities-found-in-automated-medicalequipment/article/528708/
5 Rene Millman, ‘Anti-virus software stops surgery to scan medical monitor for malware’, SC Magazine, 11 May 2016, Accessed at: http:// www.scmagazineuk.com/anti-virus-softwarestops-surgery-to-scan-medical-monitor-formalware/article/495664/
6 Data reported by Accellion, cited by Max Metzger, ‘NHS all-mobile no-paper system has ‘alarming’ lack of cyber-security’, SC Magazine10 December 2015, accessed at: http://www.scmagazineuk.com/ nhs-all-mobile-no-paper-system-has-alarminglack-of-cyber-security/article/458958/
EcoTech (Europe) Limited are one of Europe’s largest manufacturers of cleaning solutions, including cleaning cloths, impregnated wipes, flow packs and trigger spray chemicals. Our entire range has been carefully built up over many years to ensure that our customers have a range of cleaning products available to them that ALL meet with...
Learn more »
Queen Elizabeth Hospital Birmingham
1st April 2017
Majestic Hotel, Harrogate
29th – 30th June 2017
The evolution of patient warming
Register now to apply for regular copies of Clinical Services Journal and free access to premium content, as well as our regular newsletters.
Don't miss out on the latest news affecting deliverers of high quality clinical services. Register FREE for our regular newsletters now, and enjoy FREE access to feature article content and to the digital version of The Clinical Services Journal.
Selected subscribers will also be considered for FREE inclusion within the distribution of the printed version of The Clinical Services Journal, too!