The alarming state of computer security in healthcare

The alarming state of computer security in healthcare

Life support machines can be the difference between the recovery of a patient and the loss of a life. Imagine the implications of a poorly coded worm causing a respirator to turn on and off intermittently while connected to a loved one.

This issue was all too real for an American hospital when malware was injected through the neonatal intensive care unit to gain back access to a hospital network. The poor coding in the computer worm caused an error with a system of heart monitors. Premature babies went unmonitored for potentially fatal periods of time.


Why would anyone attack a hospital?

The data stored within healthcare networks remains a primary target for attackers on a global basis. By accessing a hospital network through a medical device, such as the neonatal intensive care ward heart monitors, attackers can infect medical devices with malware, then move laterally through hospital networks to steal confidential data.

Once criminals have hold of the data, they can easily keep that data hostage. Large ransoms are demanded in order to release this patient data and to unlock vital administrative systems. Hospitals have no choice but to pay if they wish to continue to offer any services.

An unfortunate outcome of these kinds of malware attacks is the unpredictable effect the worm will have on the machines they infect, such as turning heart rate monitors on and off again without warning.

According to IBM, healthcare has become the #1 most attacked industry in 2015, replacing financial services, which was the leader just two years ago. Data held for ransom is incredibly lucrative for cyber criminals. A prime example of how stolen patient data can provide a huge payday comes from the news that a hacker dubbed “thedarkoverlord” is reportedly trying to sell 655,000 patient records on an illegal online data market.

The problem with medical devices is that these kinds of hardware need to be in use for 10-20 years to pay off, but hardly any operating system is supported that long. Many of these devices were built as a static machine back then. Not as a changing or updating OS like that which we have today. If a device was to be continually updated, each update could kill the hardware drivers for the actual device so they are typically not touched or updated at all. The problem here is that once a hacker is in a network (with enough administrative rights) they can basically do anything they want such as stealing patient data and holding it for a large ransom. If these outdated machines must still be used, they have to be kept disconnected from the internet at any price.

Modern equipment comes with modern safety features

The presence of medical devices on healthcare networks creates high vulnerability. These medical devices will make these networks much more susceptible to a successful cyber attack. But, this is not only an issue in the healthcare industry. Attacks on medical devices are a prime example of what can happen if you continue to operate your business or work at home on out-of-date hardware with old software.


What can you do to avoid incidents like this?

Ask questions of your medical professionals. How do they protect client data? It’s unlikely that they will tell you anything but asking the right people might at least get those with the power to change things to start thinking about their vulnerabilities.

Have a great (malware-free) day!

  • cat1092

    What is & should be scary is that some practitioners are still running XP for their day to day operations for some types of programs/procedures. There’s some software & equipment that there’s no replacement for, and was very expensive at time of purchase (say takes 20 years to repay for itself).

    Well, if the ones who initially distributed the equipment never updated the software or hardware for use with Windows 7 or above (or a Linux distro), even if offline only, those computers are a threat to the hospital’s or clinic’s network. Many imaging facilities in particular are using XP powered hardware, so the risk is very high, even with a high powered protection with Emsisoft Anti Malware or Internet Security.

    What many doesn’t realize is that there’s been over 200 patches/updates post EOL of XP, and many of these has been patched for Vista & above. For that matter, not even Vista gets fully updated (using IE9 for an example).

    Until medical providers fixes the underlying issues, and has more control over employee access to Internet (to include restrictions on plugging in USB drives & other devices), the problem is not going away any time soon. And in the medical field, it takes years to change.

    Maybe they should had been thinking of the future when purchasing these expensive devices w/out an upgrade path & held off spending, after all, Windows was predictable until W10, providing a new OS every three years (a bit longer between XP & Vista), and it may be that period that’s the issue. The medical clinics cannot gain a ROI if trading for newer equipment, so they run older & pay the consequences as these happens.

    The other looming issue is spending, there’s limited cash in the budget to upgrade equipment, as well as the OS’s that powers these, so in essence they’re stuck. Insurers are reimbursing less, and patients pays less, plus many doesn’t meet their end of the deal, paying their fair share.

    It’s very complicated, yet in the meantime hospital & clinics has to figure out how to better secure their Internet. When running EOL OS’s, it doesn’t take much for a botnet to be created, perhaps by a disgruntled employee at a high level, knowing the end of their job is near & inflicting damage however they can. All it would take is a USB drive that has an app like EEK, used on many computers & infections caught. Those infections could somehow be injected throughout the place from that drive’s quarantine folder loaded with nasty Malware by one with skills, or simply dump it in a place where it’ll spread on it’s own, like a cancer.

    It’s up to the medical care industry to police themselves, trade current equipment, even if some negative equity has to be rolled into the new loan, and stay in tune with the times. Of course this will take time, so today is as good as any to begin looking for solutions to secure the facilities.


  • FirstSpear

    How can such machines be attacked unless they are part of the network? Why do individual machines need to be part of the network? Revert to dumb, individual-use machines, or cluster networks; small groups of machines that can only interact with each other and have no connection to anything outside their cluster. Given the evidenced impossibility of maintaining security of anything connected to a wide network, why keep making machines that act that way. Asking for trouble, and stupid.

    • Eagereagle

      Ha Ha These machine become part of a network because people (at the top or in the hierarchy) are often lazy and computer illiterates and think that efficiency is when all commands are in one hand, thus networking ensures that and reduces maintenance costs and payroll since all is located at one level. The real diseases or malware in our society nowadays are bonuses for the top and high dividend for the shareholders. No Emsisoft, unfortunately” can change that. This being said, I love Emsisoft.

  • Sokrates

    Looks like there’s a major misunderstanding behind all this.
    Once for practical reasons a satisfactorily working commercial software is put in charge of some critical equipment, that software should NEVER be touched again – except perhaps to update it to a new version specifically tailored on that particular application and thoroughly tested.
    In many occasions sticking with an ‘obsolete’ operating system is not a capital sin but rather the only way to keep a critical piece of hardware (or software) working properly without potentially disastrous surprises.

    Scientific and medical equipment are exempt from keeping up with the fashion trends: they are definitely not meant to play solitaire, to chat or to watch porn on the internet. For a damn complex (and shockingly expensive) space project we resolved to exhume the good old DOS (reliable, predictable, no frills), though slightly retouched to fit our special needs. And no one of us feels guilty or ashamed of it.

    That said, having such an equipment connected to a public network would be utterly irresponsible: along with professional hackers and malware-spreaders there are a lot of quite smart kids and teenagers out there, each one eager to ascertain whether he or she is really good enough to draw a satellite out of orbit, or to stop a heart, or to cause a terribly exciting general black-out.
    Curiously enough whenever this happens the traditional scapegoats are the software people and the faceless attacker, seldom (if ever) the budget-wary management that decided to save the few K$ required to set up a dedicated intranet not accessible from outside.
    It’s a funny world…

  • Pepper

    I still don’t understand why important systems like administration, hospitals or power supply’s etc, are conn to the outside network?
    It’s incredible stupid to hang a nuclear power supply on the internet, every kid today can reach important system’s and by accident open or close an important valve for cooling for instance etc.
    A second dangerous thing is old software, dumb low cost ICT personal.
    My son thus a ICT education and for this he must make a practice at a high school, nothing important would you think, but a high school with 3000 systems in a network and only one person for the network safety it’s nearly impossible, everyday over 500 hacks from outside and then the 1000 try’s from inside over 50 server/modems unless they are behind 5 firewall’s there are hackers come true, which needs a load of work to find and close the hole.
    A student with Straight A’s for his work and then fales all exam’s then you know there is something fishy, looking in the system showed he or a friend falsely changed his testst from D to A .
    Suppose its was/is an hospital, and yes most of them work with low cost low educated IT personal with old systems.
    Even with near bed systems for hart/lung/temp etc work with Windows 98 connected to the internet server, from out a 1 patient room you can easily close valves for oxygen on another floor in the hospital or even shut down the operation theater floor so nothing works and people would die.
    Really it’s that easy if you want to, just a linux or windows phone and all the necessary programs are downloadable from the internet, make contact to 1 system and, well you can imagine what could happen.
    Hospitals and insurance companies make every year billions profit,and loose true greatness thousands of lives with the excuus his/her hart stopped suddenly, sorry!

    • TheChosen

      The answer is as obvious as it gets => To NEED LESS WORKERS, to do the same amount of work in less time and/or to be cheaper.

      See? Internet of things is REAL. That is what it`s about. Connecting everything in your world (be it a chair, your smartphone or your fridge with the internet).

      Making all attackable from outside.

      But normal people don`t know this. They think it´s all fine and easy.

      They just care about for the lesser amount of work needed to do what they want to do.

  • Un bischero

    IMHO, in this mission critical cases they should use two different, not physically interconnected networks: an “Internal” isolated one and another connected to the outside network.
    For any update or manteinance task that will require a download, they should transfer manually the update packs downloaded.

  • Sokrates

    True, having critical pieces of equipment connected to the web is foolhardy (just a bland euphemism). But few managers would seek competent advice about something they think they already master (after all they know perfectly well how to turn on their own computers, don’t they?), and then setting up an intranet costs dear money that could be used to finance the next Christmas party…
    Little they seem to consider that along with professional hackers and malware-spreaders there are also legions of clever kids and teenagers out there, each one eager to check if he or she is good enough to push a satellite out of orbit, or to stop a heart, or to cause a terribly exciting general black-out. I know because I was one of them – until my father explained very persuasively to my buttocks the meaning of “responsibility”.

    Nevertheless there’s nothing shameful or sinful (as many here seem to imply) in sticking with an ‘old’ software rather than replacing it with a newer – not necessarily better nor fully compatible – version. On the contrary, that’s very often the only way to keep a satisfactory piece of equipment (or of software) up and running rather than keeping up with the whims of fashion and junking it.
    Once an OS is put in charge of a complex critical equipment it becomes an integral part of it, and updating to the next commercial version of the OS would be deadly even in the most optimistic scenario.
    There are incredibly complicated and outrageously expensive scientific monstrosities whose computers run on XP, on 98 or even on good old DOS – reliable, predictable, no frills. And as they aren’t expected to be used to play solitaire, or to chat, or to watch porn on the web, they all talk and listen only on a strictly local intranet.

    • Sean Elvee

      Many opinions and few facts in the comments above.
      I’m in the process of ensuring GLP compliance for a UK based internationally respected Medical Research company to MRHA and OECD guidelines, as recently updated. Timely updating (i.e. inside 30 days from publishing) of OS and application security patches & service packs IS MANDATORY for any computer based system connected to the network, as is change management testing and assurance, i.e. keep it secure, test all software changes for errors / crashes / bugs etc. in a limited subset of systems and when sure, update all systems.
      Perhaps medical regulation in the US is less rigid, but I doubt it. Perhaps they are less worried about compliance, but I somehow also doubt that.
      The real issue was the delay from 1995 (yes, really!) until last April for a new guidance document to be published by the OECD. Sit back and consider if ANYTHING in the IT field is still as it was in 1995.

      • Sokrates

        Are you meaning that each time someone in Redmond changes the rules of the game you really re-write all the drivers and the pieces of software that interact directly with the hardware, and then re-check everything all over again until you’re completely sure? You must be a team of very wealthy heroes!