01 Jan 18
01 Jan 18
A hacker compromised a hospital’s computer system, causing monitors, phones, labs, and patient files to all go down. As technology failed them, the staff attempted to keep the peace but chaos erupted, and doctors were forced to get creative in their methods to treat patients.
Fact or Fiction? In this case, the scenario was fiction. It was the plot line from a recent episode of Grey’s Anatomy, a medical drama television show.1 But medical device hacking can happen and has happened in real life.
Medical device hacking is not new. The FBI reports that security breaches involving medical devices date back as far as 2009. Those security breaches included disrupting glucose monitors, cancelling patient appointments, and shutting down sleep labs.2
Because of the May 2017 WannaCry ransomware attack, there has been more coverage of medical hacking in today’s news. The WannaCry attack infected at least 200,000 medical device systems in more than 150 countries.3
In the United States alone, multiple healthcare organisations suffered operational disruptions to medical devices which impacted healthcare services including CT scanners, injection systems, and radiology scan viewing workstations. 3 In the United Kingdom, computers in hospitals and surgery rooms simultaneously received a pop-up message demanding ransom in exchange for access to the computers.4
Ransomware attacks such as these are preventable. WannaCry exploited a known vulnerability in the Windows operating system and then self-propagated to other vulnerable systems on the network. Microsoft released a Windows 7 security patch to protect against this vulnerability several months before the attack. The attack highlighted the healthcare industry’s failure to provide timely patching and updates to their medical device software.3
But ransomware is not unique to the healthcare industry. Remember the recent Equifax data breach? The one that exposed the PII (Personally Identifiable Information) of 143 million people? In that attack, hackers entered the Equifax system through a web application vulnerability. That vulnerability had a patch available for two months prior to the massive data breach.5
There are ways to prevent future attacks. Criminals look for the easiest way to breach the perimeter. Why break a window when you can enter through an unlocked door? Why attempt to circumvent a firewall when you can gain root access through a publically announced vulnerability in an operating system? Promptly patching systems that have security vulnerabilities is not just a simple security best practice. It is good common sense.
Patricia Dreyer is a Senior Manager for DarkMatter. She has decades of experience developing technical training and labs, teaching technical courses, and managing technical training teams and projects.
2 United States, FBI Criminal Investigative Division, Criminal Intelligence Section Financial Crimes Intelligence Unit, Internet-Connected Diagnostic Medical Devices Vulnerable to Hacking (2014).
3 Medical Device Vulnerabilities Pose Growing Risk to US Healthcare Services and Patient Care, report, October 17, 2017, http://orprima.org/images/meeting/092717/pin_171017_001.pdf.
4 Gayle, Damien, Alexandra Topping, Ian Sample, Sarah Marsh, and Vikram Dodd. “NHS seeks to recover from global cyber-attack as security concerns resurface.” May 13, 2017. https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack.
5 Newman, Lily Hay. “Equifax Officially Has No Excuse.” Wired.com. September 14, 2017. https://www.wired.com/story/equifax-breach-no-excuse/.