Any healthcare provider believing the risk of a data breach through a medical device is low, should think again; a new white paper suggests the medical device hacking risk to be much higher than expected. Thieves are actually using the devices to gain access to healthcare computer networks.
HIPAA-covered entities ignoring the risk do so at their peril. Hackers can use the devices to gain access to much more than the data stored on the devices.
Many Security Vulnerabilities Are Missed During Risk Assessments
The TrapX Labs white paper suggests that hackers are taking advantage of security vulnerabilities which are often missed by risk assessments. Medical equipment – radiology equipment for example – collects and stores PHI and if access can be gained, that information can be stolen. However, if malware can be installed on the equipment – keyloggers for instance to record passwords and usernames – medical devices can be used to gain access to healthcare computer networks. The equipment then serves as a permanent backdoor into a system until the breach is discovered. However, the bad news for healthcare providers is the breaches can be very difficult to identify.
Medical devices are often maintained by third parties, and access to the devices is not permitted for security scans. When scans are completed, often by the manufacturer, cybercriminals could be long gone with all the data they need already having been taken from the computer network.
The white paper is backed up with information on the extent to which malware may be infecting medical equipment. One system scanned revealed a hacker had gained access to the equipment and was searching for targets to gain full access to the network.
Another example affected a Picture Archive and Communications System (PACS) system, with malware discovered that had been downloaded by accident by a member of the radiology department staff. The malware was transmitting data from the system to a location in China via Port 443, totally unbeknown to the healthcare provider.
The company believes that Citadel, Zeus and COTS malware are major problems that are plaguing healthcare providers and are leaking data from the equipment to hackers around the world.
Reducing the Medical Device Hacking Risk
There are steps that healthcare providers can take to reduce the medical device hacking risk. One of the main issues is outdated software which is no longer being updated and patched. Hackers are able to exploit the security vulnerabilities and eventually gain access to systems using outdated software. Keeping software updated is an essential measure to reduce the risk of medical equipment data being breached and network access gained.
Regular scans for changes to software code, installed malware and viruses must be conducted and these must be scheduled with the manufacturer if assistance is required. A policy covering internet access via devices connected to medical equipment, and via the equipment itself, must be established and followed.