The medical industry is notorious in the cybersecurity community for their poor security. Despite the value of the data that they have (all of those medical records) and regulations enforcing good data security in many countries (GDPR in the EU, HIPAA in the US, etc.), a depressing number of data breaches occur within the healthcare industry.
In healthcare, however, data security is not the only concern. Both inside and outside hospitals and healthcare centers, there is a heavy reliance on technology. Doctors use a variety of high-tech scanners to diagnose and treat different conditions, and technology is also widely used outside the hospital as well (pacemakers, health trackers, etc.).
The Internet of (Hacked) Things
The healthcare industry is known as one of the areas where usage of Internet of Things (IoT) devices is growing significantly. In fact, healthcare in IoT is expected to be a $158 billion industry by 2022, with usage growing 30% each year.
Unlike our smart light bulbs and microwaves, the IoT devices used in healthcare process and store extremely sensitive and valuable information. A medical device may mean the difference between detecting and treating a potentially terminal illness in time to save the patient, yet this device is connected to the Internet. In the healthcare industry, IoT security is of paramount importance.
Unfortunately, the state of security of IoT devices in general and anything related to cybersecurity in healthcare is pretty bad. IoT devices, including everything from light bulbs to voting machines, have been shown to have extremely poor security out of the box, with hardcoded default passwords (easily guessed or Googled) and poor security settings enabled. This is a recipe for disaster and can cause major problems for both healthcare providers and patients.
The Cyber Cancer Diagnosis
Let’s take a cancer diagnosis for example. Often, people at risk go to a hospital and have the doctors run the necessary scans and tests. One method of detecting cancer is using a Computer Tomography (CT) scan. These scans perform a scan on the patient and save the results on a server for a radiologist to review. While the process may not be perfect (nothing in medicine seems to be), it works well enough. As a result, the patient can feel fairly confident in their diagnosis after the scan is done.
But what if a hacker gets involved? Notice the Computer in CT? Those computers are connected to the Internet, and often they have extremely poor security. Things are so bad that hackers can use Shodan (a search engine like Google but for IoT devices) to find these servers where the images are stored. In order to demonstrate why this is a very bad idea, white hat researchers from Ben-Gurion University and the Soroka University Medical Center in Israel have developed proof of concept malware designed to modify CT scan images stored on the server. This malware is designed to modify the images to add or remove cancerous bodies from the scan. And it’s good enough to trick trained radiologists over 95% of the time when they’re not aware of the attack and over 60% of the time when they know and are looking for it. Still confident in that CT scan?
Detection and Prevention
The reason why this malware works is the poor data security practices of the healthcare organization. In order to succeed, the malware either needs to intercept the images between the scanner and the server or manipulate them once they are present on the server. This requires a significant level of access and control for the hacker on the healthcare organization’s network.
Data security solutions exist for preventing this level of access to the organization’s sensitive data. Any organization that stores or processes sensitive data should consider a solution allowing them to limit access based upon employee roles and monitor for unusual access or usage of data. This simple solution can have a significant impact on an organization’s potential exposure to data breaches or malicious data modifications.
Improving Healthcare Cybersecurity
The implications of this proof of concept malware are troubling (especially since it’s not limited to cancer). By taking advantage of poor cybersecurity in the healthcare industry, hackers can make experts mistrust the results provided by modern medical technology. The simplest solution to this problem would be to cease using this technology, but the impacts of that are significant.
By deploying data security solutions for monitoring access and usage of sensitive data, healthcare organizations can detect and prevent these attacks from succeeding on their networks. These solutions also have the benefit of protecting other data from data breaches, dramatically improving their cybersecurity posture.
