Helpful Medical Devices Harmful to Privacy

While imaging equipment and other medical devices may seem like helpful tools to help diagnose and treat patients, they’re also opportunities for attackers, as TrapX Security stated in an Anatomy of Attack report on medical device hijacking.

So far, these hackers haven’t accessed the device to compromise or alter its functions, but that’s possible too. TrapX Security CEO Greg Enriquez stated. “It’s not something we’ve witnessed,” he said. “It’s something we’ve proven in a laboratory is possible.”

Instead, attackers are after information. “Personally identifiable information and medical records have had value up to 10 times more than credit card data, and that’s because you can reconstruct a person’s identity with hospital or medical record information,” he said. This data can be used to file false tax returns, fake claims and more, he explained.

Once a hacker gains presence in a device, normally they’re hard to find and will linger for an average of more than 200 days, Enriquez said. “I think it is a concern that medical devices can be a place for hackers to hide out and pivot in the organization to go after the administrative system or other targeted information,” he added. As a result, he strongly suggests having a firewall between devices like these and the core healthcare facility network where more patient information is stored.

As more attacks happen, with three major ones in the last couple years, Enriquez thinks patients – who are the customers of the healthcare market place – will start demanding more security. “Consumers are more aware of risks associated with their personal information being digitally collected by a number of sources, whether it’s your retailer, your insurance provider or your healthcare provider,” he elaborated. “When your personal information is stored, you should be assured by the provider it’s protected and secure.”

Currently, medical device suppliers don’t include a security software system in their medical devices, Enriquez said. “I think the awareness to the potential vulnerability of medical devices will cause manufacturers to make sure they have the latest operating systems, that they’re patched and they can assure providers they have a security process in place to maintain a secure system for hospitals and other healthcare providers,” he continued.

As suppliers start to put up a wall to hackers, they will find ways around it, Enriquez predicted. “In contrast to regular corporate IT networks, the presence of medical devices on healthcare networks may make them more vulnerable to attack. The data stored within healthcare networks remains a primary target for attackers on a global basis. For all of these reasons we expect targeted attacks on hospitals to increase throughout 2015 and 2016,” the report stated.

“I think the silver lining is, the more we see these kinds of attacks, the results of the attack aren’t catastrophic,” he said. By developing tight security plans, facilities can do their best to prevent those instances, he said.

System Solutions

So why not just download some security software? The problem is the medical devices are FDA cleared, and don’t have security software initially included in the design, he explained. Since they’re FDA regulated, security software also can’t be installed after purchase, because it would jeopardize its clearance, Enriquez added. Some security companies, like TrapX Security, offer protection by maintaining non-intrusive presence where they can observe and monitor for new activity. Since the system isn’t downloaded or installed in the device, it’s okay to use.

Can’t facility security personnel monitor the devices? The medical devices are often on a closed network, requiring permission from the supplier to access it. This is possible through communicating needs, but it can’t be done often enough to catch an attacker the moment they hack into a device, he said.