Medical devices are a weak link in hospital cyber defenses, putting patients in the crossfire: study

Patients are feeling the effects of cyber attacks entering through the internet of medical things as hospitals continue to pass the buck.

Half of hospitals have been attacked with ransomware with 45% of organizations stating they believed the attacks were affecting patient care, according to a study released by Cynerio and Ponemon. Out of the group attacked, over half believed cyber attacks were indirectly responsible for increased mortality rates. The report cited integral medical devices being a weak link in hospital armor and a lack of foresight sending hospitals spiraling into attack cycles.

“What we find is that the healthcare industry is by far the highest risk industry with respect to emerging threats and vulnerabilities and real attacks, not just the possibility of an attack, but real legitimate attacks,” said Larry Ponemon, founder and chairman of the Ponemon Institute. “These organizations have been inept in implementing security processes, especially if we include issues around IoT, internet of things and internet of medical things.”

Ponemon pointed to these devices that are ubiquitous in hospitals, everything from MRI machines to heart rate monitors, which were involved in 88% of data breaches. Furthermore, 79% of organizations do not consider the cybersecurity of these devices to be deemed “mature,” and only 33% of survey respondents reported keeping an inventory of the attacked devices. Without the proper defense, these devices can become revolving doors for hackers, experts say.

“Medical devices create problems for organizations that don't understand how to secure them,” Ponemon said. “Based on our study, and other studies conducted, the weakest link in the security chain within healthcare is managing these devices, because it's not one device. It's hundreds of devices.”

Chad Holmes, security evangelist at Cynerio, said the issue is not ignorance of the cyber threat or an unwillingness to address it, but the prioritization of patient care above cybersecurity. He said these new technologies have been adopted at a rapid rate for their life-saving functions but without an adequate assessment of the risks they pose.

“One thing that's really challenging in health care networks is that they're typically considered flat, meaning they're not segmented,” Holmes said. “It's  easy or traffic to bounce around, so an attack may not go into an IV pump, necessarily, although it can, but once it's in it can use those hundreds of thousands of IV pumps to kind of replicate throughout the environment.”

If a system is attacked once in this way, it’s likely less expensive to pay the ransom than refit the entire system, but Holmes said that if a hacker perceives a target as a potential steady source of revenue, an attack cycle begins. In cases like the infamous University of Vermont Medical Center hack, it’s undoubtedly less expensive to include cybersecurity in this year’s budget, not next. With half of survey respondents choosing to pay the ransom simply because it was the quickest path to recovery, the threat of future attacks only continues to grow.

On average, systems are paying $250,000 to $500,000 in any single ransomware attack, according to the study. That's not mentioning the fees incurred due to lost patient information, per the 2009 HITECH Act dictating that health institutions be charged steep penalties for exposing patient records.

“It's easy to say, 'Hey, let's wait till next year.' If you keep doing that you're going to keep getting attacked,” Holmes said. “I think that's what this report says, at least on the connected devices side of things. The reported average is 3.4% of overall IT budget going to security for those devices. You got to remember these devices are 40% to 50% of the network footprint, both in terms of traffic and actual physical devices. So that spend is disproportionately low, and if you're going to adopt them all, they do provide great care, but you have to also consider securing them at the same time.”

There have been warnings and anecdotal evidence of the impacts on patient care but cybersecurity researchers say that regardless of an attacker's motives, the collateral damage of an attack frequently involves increased mortality, more cumbersome procedures, longer patient stays and delayed service. In the case of ransomware, cases can be dire. During an attack, the internet of medical things can be encrypted and locked until the ransom is paid.

“What you have is an emergency situation, where a doctor is used to seeing heart rate monitors and 10, 15, 20 different devices that are connected being immediately unavailable,” Holmes said. “
When you take all those resources away, the doctors have to fall back on training; the nurses have to go back to stuff that would be done in the 70s and 80s. All technology goes out the window there.”

With Holmes’ estimate that most hospitals are 10 to 15 years behind the cyber curve, he said the best and first thing they can do is put patients first by investing in cybersecurity immediately.