17 Nov RANSOMWARE EPIDEMIC – WHO IS NEXT?
Nimisha Singh Verma is Healthcare IT consultant. She brings with her experience of various esteemed healthcare organizations Optum, Religare Technologies and tertiary care hospitals. Authored chapter on Indovation in Innovations in Healthcare Management: Cost Effective and Sustainable Solutions book published in US.
Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.
The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.
The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.
Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.
Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.
Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.
Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.
Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.
Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.
Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.
There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.
Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.
According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.
Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.
With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.
Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.
All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.
On the other hand, the device vendors hold providers responsible for their negligence and having outdated network protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.
It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.
The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.
Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.
The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.
Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6