Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain
Cyber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.
The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit. According to open source reporting from SANS, Ponemon, and EMC²/RSA, the health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.
In addition, healthcare systems become more interconnected and share patient data, cybercriminals find it easier to access sensitive information. A 2013 Black Hat USA presentation on attacking medical devices showed how a person could remotely access an insulin pump and change the dosage, which could lead to patient death. The presenter demonstrated remote access to a patient’s pacemaker, showing how altering settings could pose life-threatening risks.
Medical devices lack strong protection because their design does not prioritize security. They are also difficult to patch and often lack basic security features like encryption. As a result, these devices are prime targets for cyber criminals who are looking to exploit them for financial gain.
The healthcare industry must strengthen cybersecurity to safeguard patients, staff, and sensitive data from potential threats. Cybersecurity awareness and training should be mandatory for all health care employees. In addition, health care organizations should work with their IT staff and outside cybersecurity experts to identify and mitigate potential risks.
