Is Healthcare Security in Critical Condition?

Ransomware that brings down hospital systems, disables CT scanners and other medical devices and won’t allow patients to be treated. Medical records stolen and sold to the highest bidder. Hackers taking control of pacemakers and insulin pumps. Nation states attacking an entire country’s medical infrastructure.

These are just a few of the potential security dangers that security experts say face the United States healthcare system. The dangers have been known for years, and attempts have been made to secure it. But is the system and its patients more secure today than in the past? Here’s what the experts have to say.

What the Security Reports Say

Perhaps the most in-depth examination of healthcare cyber security was carried out by the Healthcare Industry Cybersecurity Taskforce, funded and overseen by the federal Department of Health and Human Services. When the group released its final report in 2017, it summed up its findings succinctly: “Healthcare security is in critical condition.”

Further, it pointed to a “severe lack of security talent,” vulnerable legacy medical equipment, and the difficulties of protecting an almost impossibly complex medical system made up of “very large health systems, single physician practices, public and private payers, research institutions, medical device developers and software companies, and a diverse and widespread patient population.”

A 2018 Symantec report, “Cyber Security and Healthcare: an Evolving Understanding of Risk,” soon followed, and warned that healthcare cyber risks were rising, in part because health data has become a high-value target for cyber criminals. Perhaps even more frightening, it added, healthcare organizations have become “high-profile targets for hacktivists and nation states.”

What the Experts Say

Have things gotten better since then? Dr. Christian Dameff, an emergency room doctor at the University of San Diego and cyber security researcher with a focus on healthcare, says the results are mixed.

“There’s been progress,” he says, “But we’re still far behind where we need to be. We still have daily breaches. We don’t do a good job with data security. But at least we’re beginning to recognize the problems and turn the tide.”

Large hospitals and healthcare systems in metropolitan areas are the most protected, he says, because they have the funds and sophistication to address the problems. But facilities in more remote and rural areas lack funds and know-how, and so are most at risk.

But even the most sophisticated hospital systems, he believes, “don’t have a coherent cyber security strategy in place. It’s not because they don’t want to. It’s because no one has been able to establish one yet. You can’t just borrow a security playbook from finance or other industries. The healthcare industry is far more complex than other industries when it comes to cyber security.”

Among the difficulties are that hospitals “Are Frankensteins put together from disparate parts — they include hundred-plus vendor systems with poor interoperability between equipment.” Medical devices such as CT scan machines frequently run on outdated operating systems like Windows XP that can’t be properly protected — and large systems can have hundreds of such devices, each with their own unique, one-off security challenges.

He adds that in other sectors, such as the financial industry, it’s easy to know when you’ve been attacked — money goes missing. But in healthcare, people get sick and die every day, and it can be difficult to know the reasons for it. So, there’s no obvious red flags that signal a hacker has invaded a system.

Beyond that, he says, “many vulnerabilities have nothing to do with medical systems — they’re with off-the-shelf software like databases that aren’t being protected properly.” The impact of them being hacked is more serious than if it happens in another industry, he explains. If a hacker brings down an entire hospital system, it means that vital tests can’t be done, and treatments can’t be given because medical professionals have no access to patient data, and medical devices won’t work when the hospital infrastructure goes down.

Urgency, not Panic Needed

Symantec Technical Architect Axel Wirth says that despite the myriad cyber dangers to the healthcare system, “I don’t think it’s a ‘the-sky-is-falling’ type of situation, so we shouldn’t panic. But we should proceed with a sense of urgency.”

He says there has not been a documented incidence of a medical device such as a pacemaker being taken over by hackers and then used to harm a patient. And he worries that if the potential dangers of medical equipment being hacked get overblown, “There’s an opportunity for over-reaction and patients may reject perfectly sensible medical treatment out of the fear of cyber attacks.”

However, he says that hospitals are still in danger of being victimized by ransomware, malware and other attacks, and he concurs with Dr. Dameff that the complexity of the healthcare system makes it difficult to protect it. He suggests a number of solutions, including medical device makers warning hospitals and doctors about device vulnerabilities, hospitals including security requirements in purchasing agreements with manufacturers, and government taking actions to ensure new devices meet cyber safety requirements.

He also emphasizes that public education of patients and doctors about cyber dangers of medical devices is vital — for example, about the importance of having medical device firmware updated when device makers recommend it.

Dr. Dameff adds that there has been progress in cyber protections, notably by the FDA in security regulations for new medical devices. But ultimately, he believes the solution to medical cyber security requires much more than isolated actions from government, the industry and manufacturers. The only way to protect the healthcare industry and patients, he concludes, is that that government and industry “treat our medical system as critical infrastructure, in the way they treat our electrical grid. Only then can we make real progress towards securing it.”