As a medical doctor, I see how hospitals are targeted disproportionately by malware, putting a treasure trove of valuable patient health information at risk. Modern hospitals’ interconnected digital platforms, such as integrated billing and electronic health records, and our increasing use of Internet of Things (IoT) devices are putting people’s health and privacy at risk.
Consider the recent surge of ransomware attacks on NHS Trusts, among the long list of healthcare targets. When doctors and nurses are locked out of their systems due to ransomware, critical surgeries, transplant procedures, and emergency trauma treatment must all be staggered or diverted to other facilities. Patients may be denied life-saving medical procedures while hospital staff desperately try to restore functionality.
In addition, a hospital struck by an attack will likely see their reputation and patient faith damaged, to say nothing of the hefty clean-up costs and regulatory penalties they may face.
IoT Gadgets Expand the Hospital Attack Surface
There’s no question that IoT healthcare equipment helps healthcare providers and administrators do a better job by providing real-time presence and awareness about patient conditions, equipment status, and other factors, but they have a considerable Achilles’ heel: weak security.
Consider the Mirai DDoS attack last fall, launched via an IoT botnet, that took down some of the internet’s most popular websites. Imagine what could happen if a hospital, rather than Netflix and Twitter, were targeted by such an attack.
An attack on connected medical equipment, such as infusion pumps, cardiac monitors, radiation equipment, and ventilators, could have catastrophic outcomes. And, from all indications, it can and will happen if we leave things as they are. We’ve already seen a demonstration hack of an infusion pump under controlled conditions – but a black hat hacker could easily exploit similar vulnerabilities to devastating effect. A determined intruder might directly tamper with medical equipment, exposing patients to excessive amounts of radiation or overdosing them on medication.
Healthcare-targeted cyberattacks will likely further evolve into database intrusions that damage the integrity of patient records. Imagine the long-term damage that could be caused by a fudged lab or medication dosage report that affects treatment and causes death or long-term disability.
The Doctor’s View
As a medical professional, I recognize the importance of putting all our technology and operations under a comprehensive security umbrella, and I also understand the challenges of making that happen. For example, electronic health records should always and only be unlocked with secure credentials, yet requiring staff to login to the EHR over and over again during the day is perceived as an impediment to productivity. Users would rather share common passwords across systems in the interest of efficiency and “getting work done.”
Yet, this is dangerous and offers another surface for attackers to target hospitals. And they already have more than enough choices – unprotected remote diagnostic devices; shadow IT risks like cloud sharing tools; uncontrolled mobile devices; phishing emails; non-compliant chat and text applications – to unleash digital mayhem.
What Healthcare Must Do to Secure our Medical System
Healthcare is a critical asset, and it must be protected. As the adage goes, an ounce of prevention is worth a pound of cure. Here are 10 things we need to do now to secure our medical system:
Teach staff how to identify and avoid phishing scams, ransomware attacks, and other email-based threats
Put email solutions, collaboration tools, and other critical apps in containers to protect sensitive content
Technology has become ingrained in our healthcare system, which is mostly a good thing. To avoid the bad, security and privacy need to be given a greater emphasis – they must be part of every healthcare organization’s ethos, not just viewed as a regulatory compliance demand. The prevailing cyber-defense model needs to change such that targeting hospitals for patient data is no longer cost-effective for criminals.
Healthcare currently suffers under the weight of a malware epidemic – and security fine-tuned to protect patient privacy and save patient lives is just what the doctor ordered to cure it.
About Dr. Abhishek Puri
Dr. Puri is a radiation oncologist at the Fortis Cancer Institute in Mohali, India. Born and raised in Northern India, Dr. Puri has always been a technophile with a deep thirst for knowledge.