An industry in turmoil: Poor cyberthreat prep puts patients in danger

Healthcare is "an industry in turmoil" where patient health is "extremely vulnerable" due to insufficient cybersecurity efforts, according to authors of a two-year research study published this week.

For the study, conducted by Baltimore-based Independent Security Evaluators, researchers assessed 12 healthcare facilities, two healthcare data facilities, two active medical devices from one manufacturer and two web applications, from January 2014 through January 2016. The research comprises "hands-on analyses" of the systems, tools and budgets, as well as interviews with hospital, data center and devicemaker employees.

The researchers noted two "major flaws" regarding the healthcare industry's threat model:

  • An almost exclusive focus on protection of patient records
  • Most measures taken address "unsophisticated adversaries" and aim to stifle "blanket, untargeted attacks"

"As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered," the researchers say.

For instance, regarding remote access to hospital networks, the researchers point out they saw little to no control exercised over parties given such responsibilities; what's more, they said, access oftentimes was too broad.

 "Without control of the remote networks and systems, it is exceptionally problematic [if not impossible] for hospital IS or IT to ensure that those connected systems are safe, and not infected with malware or opening the door for an advanced threat to launch an attack," the researchers say.

They also point to insufficient funding, a lack of security personnel and poor training as the reasons for most security issues in hospitals. "Without proper policy in place, it will likely lead to heavy waste and the implementation of ineffective technical security measures," the authors say.

Recent ransomware attacks on providers--such as the one on Los Angeles-based Hollywood Presbyterian Medical Center that ended with the hospital paying a $17,000 (40 bitcoins) ransom to reestablish control over its electronic systems--do nothing to dispel the conclusions reached by the researchers. A Forrester Research report published last fall predicted that medical devices and wearables would be targets of increasing ransomware attacks in 2016.

Last month, the FDA issued draft guidance on postmarket cybersecurity of medical devices. It followed up on previous guidance published in October 2014 outlining how medical devicemakers should address cybersecurity risks in the pre-market design of their products. IEEE Cybersecurity Initiative also published guidance on medical device security during software development.

To learn more:
- read the full report (.pdf)