Hospitals are risking patient lives by failing to protect critical computer systems that can be manipulated by attackers. In a scathing report that looks at the current state of hospital security, researchers say everything from bedside patient monitoring systems, automated drug dispensing machines to patient records are inadequately protected.
The finding are from Baltimore, Md-based firm Independent Security Evaluators who conclude that hospitals need to overhaul their security systems or risk patient fatalities. Researchers say they were able to hack hospital systems and devices along with disabling patient alarms designed to alert staff to a life-or-death health event.
“Hospitals are focused on things like HIPAA compliance and not enough on critical security vulnerabilities which, if exploited, could result in patient harm or fatality,” said Ted Harrington, executive partner with Independent Security Evaluators, in an interview with Threatreport.
In the study (PDF), to be presented Tuesday at the RSA Conference conference in San Francisco, researchers reviewed the security protocol at 12 hospitals. It also looked at medical devices and healthcare data facilities. Part of the review included proof of concept hacks, with consent of all hospitals.
In one attack, researchers were able to hack into a hospital’s back-end network via a public information kiosk located in the hospital’s lobby. Nearly a dozen other security holes were exploited by researchers ranging from remote, local, and physical attacks.
Malicious attacks might include hacking a hospital’s automated pharmacy system and changing a patient’s dosage levels so they were too high or low. Other examples include increasing the power of an X-ray machine to deliver a lethal dose of radiation or disabling a defibrillator.
“We were able to circumvent hospital perimeter defenses in several ways from a remote vantage point, primarily by compromising externally facing web applications,” said Stephen Bono, founder of Independent Security Evaluators. “Once we had control of those servers, we were now on the hospital network and had a ‘local’ vantage point.”
Researchers also baited hospital staff with malware infected USB sticks with the hospital’s logo. Eighteen drives were planted so staff would discovered them. Within 24 hours nearly all the USB drives were used at nursing stations which simulated the request of malware from a remote server, according to the report.
“Being local, grants a far wider field of options for an attack, but we were able to demonstrate these attacks are possible remotely, which is the worst case scenario,” Bono told Threatpost.
The healthcare industry has been fortunate, with no reports of fatalities related to a malicious hack. But, Harrington said, hospitals have been increasingly targeted by criminals. Earlier this month, the Los Angeles-based Hollywood Presbyterian Medical Center paid 40 bitcoins ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.
There have also been well documented vulnerabilities in devices such as insulin pumps. Last August, the U.S. Food and Drug Administration recommended that hospitals stop using a medical device that it said were vulnerable to hackers.
Independent Security Evaluators maintain hospitals need to overhaul how they approach security starting with recognizing accountability within the entire healthcare ecosystem. “Hospitals are the ones on the hook when it comes to security and patients,” Harrington said. But patient safety relies on best practices starting with outside system integrators, software developers, device manufacturers and cloud service vendors, he said.
“The irony is hospitals are so careful about everything from washing hands, HIPAA compliance to making sure patients get the best care possible,” Harrington said. “But when it comes to security, the number of vulnerabilities are eye popping.”
Hospitals that participated in the study acknowledged their security shortcomings, Harrington said. But many of them lacked the budget and know-how to tackle the problem fast and effectively. Independent Security Evaluators recommend hospitals assess threats, understand risk and train staff to identify and avoid vulnerabilities. Next, hospitals need to develop a long-term plan with actionable short-term goals.