Until fairly recently the medical community was not aware of the fact that there are hackers out there who have the ability to infiltrate a hospital’s medical devices and exploit the data contained in them for profit or for other purposes. Even though these devices tend to be protected using a firewall, they are still highly vulnerable to potential hacker attacks.
What’s more, the number of devices used in hospitals has been growing for decades. Roughly 20 years ago, there was just one medical device for a single patient, on average. Today, there are approximately 10 to 15 devices per bed. In total, in the United States alone, the estimates total number of such devices is between 10 and 15 million. When a hacker is capable of infiltrating one such a device or hospital, that person has the ability to do the same with other hospitals, too, as they often use the same type of equipment.
So the first thing to ask is: what kind of data could be stolen?
The computers at hospitals often store personal information about the patients, including their Social Security numbers, dates of birth, addresses, relationships within the family, and emergency contact information. This data can easily be used for blackmailing. On top of that, many hackers do not hesitate to assume the identity of the person whose data has been stolen, thereby engaging in insurance fraud and other types of fraudulent behavior. It’s also not uncommon for hospital PCs to also contain credit card information of the patients. This information has value to the hacker, as it can be used to make purchases online and in certain cases, is re-sold.
Devices That May Be Targeted
The list of devices certainly does not end with computers, however. There are also ventilators, CT and MRI scanners, infusion pumps and other types of medical equipment that can be accessed externally and controlled from a far distance. This is because most, if not all of these devices, are connected to the Internet. They also tend to be inter-connected so once one of them is infiltrated, the others are usually affected as well.
Consider an infusion pump as an example. These can be found in virtually every hospital room, attached to a stand right next to the patient’s bed. What’s scary is that these pumps are usually controllable from a distant location. A capable hacker could find a way to push these buttons without a remote control and pour an overdose of a drug into the patient’s body, which could prove to be fatal. Even a slightly higher dose can be lethal in some cases.
Hackers use various tactics to get into the system. They can take advantage of email phishing and send deceptive emails to the staff of the hospital, making them believe the email is coming from an acquaintance, a colleague, or a friend. These emails often contain malware, which once installed, gives a hacker to the device. In many cases, once one device is infected with malware, a hacker can then infect other devices as well, thus gaining full control of the networked medical device system.
How to Protect Yourself
Fortunately, since there have been many attacks on hospitals in the past, hospitals can now learn from how these events took place in order to be able to anticipate such an attack and take measures to prevent it from happening. It is advisable to use up-to-date antivirus software on the computers used within the hospital and perform regular scans to decrease the likeliness of having some sort of malware on the computers. Often times, the malware is kept hidden from you and, just like viruses that attack living cells, may remain dormant for many months until a hacker realizes your computer is infected and exploits it.
If a member of the hospital staff finds out one of the devices is under a cyberattack, one thing to consider is to disconnect all of the devices from the internet. As the saying goes, anything that is connected to the internet can be hacked in one way or another. Until recently, medical devices, such as infusion pumps, were not online and so hospitals still need to get accustomed to the idea that their equipment could be attacked. Many of them simply do not consider this to be an option due to a lack of imagination. They do not see why a hacker would be motivated to choose a hospital as the target. However, there is a motivation behind such actions, as the hacker is trying to get the patients’ bank account information and other pieces of highly confidential data. Therefore, it is a bad idea to under-estimate this menace.
One thing a hospital can do to be prepared is to use medical devices created with security as the primary goal. A tablet with an added layer of ID verification can be the way to go. Such a tablet may include a fingerprint reader, so that only authorized personnel may access the data on the tablet. Furthermore, it can feature a smart card reader to allow only people with the card to access the device.
Cybersecurity in hospitals is a growing concern not only in health care but in defense and other areas, too. As an example, a metallurgical furnace located in Germany was cyberattacked and the iron contained in the furnace was cooled and solidified in the process. The incentive for hackers is mostly financial, but sometimes they pick an institution just because they want to do harm, just like in the case of the furnace. The most effective ways to tackle this problem and prevent security breaches within your organization are to:
- Use modern, secured devices
- Continuously stress the importance of security to your employees