By Pieter Danhieux, Co-Founder and Chairman/CEO of Secure Code Warrior
Cyberattacks have become a way of life these days. People almost expect to hear news about some new vulnerability or breach that affects everything from banking to aviation, or devices as diverse as smartphones and traffic lights. Even our homes are no longer completely safe. Entire cities and towns are being attacked by criminals almost daily with hackers demanding millions in ransom to restore compromised critical services.
But one place where we could hopefully still feel safe was at the doctor’s office or even in a hospital. People are at their most vulnerable when reaching out to a healthcare provider. Human decency would almost demand that the local clinicians be allowed to do their noble jobs in peace. Unfortunately, that is not happening. There seems to be little honor among today’s cyber-thieves. In fact, healthcare could be the next “great” cybersecurity battleground, with hackers attacking the very machines that diagnose medical problems, provide treatments and sustain life.
Threats are getting more personal than ever before.
Attacks against the healthcare industry are not new. Cybercriminals already know the value that patient information, personal data, and financial records have in the underworld and on the dark web. That information can be used to steal money directly from patients, or as a launching point for secondary attacks such as phishing and other scams. It’s no wonder then that many of the most devastating attacks lately have been aimed at healthcare. Anthem Healthcare had 80 million patient records stolen. Premera lost 11 million personal files. CareFirst’s total was 1.1 million compromised records, and the list goes on and on.
As of right now, attacks made directly against medical devices seem rare. However, at least one report suggests that the problem might be much more widespread, with hospitals not reporting the intrusions, or employees untrained in cybersecurity simply not recognizing that an attack is taking place right in front of them. The ability to compromise medical devices in frightening ways, such as using malware to add fake tumors to CAT scans and MRI results, has been conclusively demonstrated by security researchers. It’s not very much of a leap to think that attackers may already be doing the same or similar things to medical devices in the real world.
Healthcare is also uniquely vulnerable to cyberattacks thanks to its increasing reliance on devices within the Internet of Things (IoT), tiny sensors that are connected to the internet and which produce incredible volumes of information. For the most part, securing the information produced by those sensors, the channels they use to communicate, and even the sensors themselves, has been little more than an afterthought. The number of potential vulnerabilities that an attacker could exploit hiding within those IoT-dominated networks is likely almost limitless.
IoT in healthcare poses serious risks.
Services critical to patient care – which in some cases weren’t even imagined 20 years ago – are breeding grounds for both IoT-based and other more traditional vulnerabilities. Electronic medical records, telemedicine, and mobile health were all seemingly waiting for the boost of information that IoT could provide. It’s no wonder that the commitment to IoT in the healthcare sector is staggering. MarketResearch.com predicts that by next year, the IoT market in the healthcare sector will reach $117 billion, and continue expanding at a rate of 15% every year after that.
In that environment, skilled attackers can find plenty of vulnerabilities that can be used to exploit medical devices. IoT sensors embedded inside medical devices generally communicate and produce their data in one of two ways. Some gather data and then transmit all of their findings directly to the internet for analysis. Others use a form of distributed networking known as fog computing where the sensors themselves form a sort of mini-network, collectively deciding what data to share with a central repository or platform. That data can then be further processed or directly accessed by healthcare workers.
Further complicating cybersecurity matters within healthcare is the fact that the industry has never embraced. nor agreed upon, data handling standards, methods or protections. Historically the healthcare industry has been served by manufacturers that offered their own proprietary technologies for medical devices. Today this includes the embedded IoT sensors, the communication channels the devices use and the platform for analyzing the data after it’s collected. This makes most hospital networks a hacker’s dream, or at least a fine proving ground where they can exploit everything from security misconfigurations to insufficient transport layer protection. They can try anything from cross-site request forgeries to the classic XML injection attacks.
The counter-punch we need is right in front of us.
Despite the potentially catastrophic consequences of these vulnerabilities being exploited, there is something to remain optimistic about: these security bugs are not new, powerful back doors opened by criminal masterminds. They’re so common that it is frustrating to keep seeing them, time and time again. Part of the reason they rear their ugly head is through the use of legacy systems that have gone unpatched despite fixes being available, but the other is once again related to the human factor. Developers are writing code at a cracking pace, and they’re concentrating on a slick, functional final product…, not security best practice.
There is simply too much software being built for AppSec specialists to be able to keep up, and we can’t expect them to constantly save the day with these recurrent vulnerabilities. It is cheaper, more efficient and clearly much safer if these vulnerabilities are not introduced in the first place, and that means security teams and developers must go the extra mile to create a robust, end-to-end security culture.
What does a great security culture look like, exactly? Here are a few key elements:
- Developers are equipped with the tools and training they need to squash common bugs (and understand why it’s so important to do so)
- Training is comprehensive, easily digested and plays to developer strengths
- The outcomes of the training are properly measured, with metrics and reporting (not just a tick-the-box and move on exercise)
- AppSec and developers start speaking the same language: after all, in positive security culture, they’re working to achieve similar goals.
The possibility for disaster is still enormous and goes well beyond just having a patient’s medical records stolen. Injecting fake tumors into a scan could devastate a person anxiously waiting to hear if they have cancer. And changing out medicines or altering treatment plans could actually kill them. But, it only takes one cybercriminal willing to cross that line for profit, and you can guarantee that it will happen. Perhaps the next ransomware scam won’t encrypt a hospital’s data, but instead, ruin the diagnoses for thousands of patients. Or perhaps an attacker will threaten to alter medicines unless they get paid, literally holding lives for ransom.
It’s clear that we can no longer follow the “business as usual” approach when it comes to cybersecurity in healthcare. We can’t rely on one or two specialists at healthcare organizations to fix every problem. Instead, we need security-aware developers working on healthcare apps and devices to recognize potential problems and fix them before they are deployed at facilities. And even healthcare workers could use basic cybersecurity training.
It’s true that nothing is more important than your health. Within the healthcare industry, maintaining good cybersecurity fitness for the future will depend on facilitating better overall security awareness today. Without serious treatment, this is an issue that is only going to get worse.
About the Author
Pieter Danhieux is a globally recognized security expert, with over 12 years’ experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA – Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Learn more about Pieter at https://insights.securecodewarrior.com/