The same MRI machines that reveal the inner workings of the human body can also expose healthcare professionals to lethal attacks by hackers who use medical devices to infect computer systems with ransomware.
More technology news: How do physicians care for the digitally isolated?
Ransomware—the insidious software that locks up data and enables hackers to demand financial payments to release it—has evolved during the past decade into a sophisticated, multi-billion dollar crime ring, as evidenced by the WannaCry attack this spring that affected 200,000 Microsoft Windows-based machines in more than 150 countries. And, according to a report released by the U.S. Department of Homeland Security, the healthcare field remains one of the richest targets for ransomware attacks because of its need for immediate access to patient records.
But how does a ransomware infection make the leap from medical devices like MRIs into the heart of computer systems at healthcare facilities?
Cybercriminals gain entry through backdoors
Medical devices are often accessible outside of normal network logon requirements because manufacturers maintain separate, backdoor access for maintenance purposes. Cyber thieves manipulate this access point to gain initial entry into a computer network. Then, the malicious software can travel swiftly throughout the whole system when records from MRIs, CT machines, ultrasound and or x-rays are electronically passed around the medical staff, for example.
Regardless of the entry point, once they get in, hackers can wreak havoc on medical care, just as they did to the National Health Service in the UK during the WannaCry attack or at the Hollywood Presbyterian Hospital, which paid $17,000 in bitcoin to ransomware bandits who froze the data for more than a week in 2016.
While WannaCry victims were running Windows 7, which still has security updates from Microsoft, , medical devices are even more vulnerable to ransomware attacks because they operate on older legacy systems such as Windows XP, which is no longer supported by Microsoft. Consequently, even if a medical facility protects its IT network, it remains vulnerable if a laptop connected to an MRI is still running on old software. In other words, cyberthieves can get into a system through the backdoor in a medical device, just like traditional robbers can find a way into homes when families leave on vacation and inadvertently lock up everything except the rear windows.
Even though Microsoft announced it would no longer support or provide security updates for Windows XP in 2014, medical facilities continue to depend on devices using that version of the operating system. The June Department of Homeland Security report also found that “…as of April 2017, an estimated 7 percent of global desktop computers still use Windows XP operating systems.”
More advice: How to develop a culture of cybersecurity
The prohibitive cost of medical equipment such as MRIs or CT scanners often prevents hospitals, surgery centers and doctors’ offices from replacing older machines or other devices that operate on outdated software. Or, vendors may only provide an upgrade if a medical facility agrees to spend thousands of dollars on new devices. For example, the purchase of the latest $200,000 camera for imaging equipment is required in order to make it compatible with newer versions of Windows. In fact, concerns about compatibility issues, in general, can prevent some healthcare professionals from updating their equipment.
Assess risks to address vulnerabilities
Regardless of the reasons, medical practices leave themselves open to attacks by unscrupulous hackers when they delay upgrades. Like a slow-growing cancer, malware that infects medical devices operating on older software can remain dormant for a long period before erupting into ransomware demands that debilitate the whole network. To catch cyber culprits in the early stages—or to prevent them from gaining access in the first place—it is essential to perform a security risk assessment (SRA), which provides a comprehensive review that includes these steps:
· Inventory all network connected medical devices
· Analyze the access/credentials for those devices
· Identify and document all electronic protected health information (ePHI) repositories
· Identify and document potential threats to each repository.
These steps represent only part of an SRA. Medical practices must also back-up and encrypt their data, conduct vulnerability scans, develop backup/disaster recovery plans, and train employees to spot phishing scams that could lead to malware and ransomware attacks.
Further reading: How to protect your practice when data breach hits a partner
The rapid proliferation of medical devices demands that active measures to protect patients from harm by hackers keep pace. That means practices cannot afford to lag behind in keeping all access doors to health data firmly locked.