How connected devices put health care at risk

When crucial health care systems and devices are exposed and accessible through the internet, it puts daily operations and patient care at risk.

The health care industry is one of the most attractive sectors to hackers. Not only do hospitals, doctor offices and other facilities store and have access to an array of patients’ personal information, but many organizations also have financial details on file to facilitate billing processes.

One of the most damaging attacks on the health care sector took place just last year when the now-infamous WannaCry outbreak impacted organizations across more than 100 countries.

According to Trend Micro’s Securing Connected Hospitals report, this ransomware infected National Health Service systems, preventing facilities from accessing patient records. The attack created scenarios in which infected hospitals were forced to reroute ambulances to other facilities. Doctors even had to cancel appointments and reschedule surgeries, all thanks to WannaCry.

This is by no means the first time the health care industry has been impacted by a far-reaching attack, and it likely won’t be the last.

“As hospitals and other health care facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services – but the digital attack surface expands as well,” Trend Micro’s report states. “The more connected they get, the more attractive they become as lucrative targets to threat actors.”

malware

Top cyber security risk areas

As the WannaCry outbreak demonstrated, an infection-based attack can have a significant impact on a health care facility and its patients. The three most at-risk areas in terms of malicious cyber activity in the health care industry include:

  • Daily hospital operations: Staff scheduling, paging systems, building controls, tube transport systems, inventory, payroll and administration operations could all be severely threatened by a cyber attack. As more of these critical daily functions are automated and shifted to digital platforms, this risk grows exponentially.
  • PII privacy: One of the most compelling elements of the health care industry to hackers is the personally identifiable information (PII) that facilities have associated with patients, including financial details, diagnosis and treatment information, and other confidential information.
  • Patient health: An interruption in normal daily functions or compromised PII data can considerably affect a hospital’s ability to provide care to support patient health and well-being.
African American nurse wearing blue scrubs standing at the bedside of an elderly, female patient in a hospital room. Connected devices help bolster patient care, but exposed devices could put hospital operations and patient data at risk.

Exposed connected devices

The above described areas of hospital operations and patient data are put at risk through a number of different factors. However, as the report shows, one of the most persistent issues includes exposed connected devices which provide an entryway for hackers and malicious actors.

Modern health care facilities include more connected health information systems than ever before, encompassing settings and elements like:

  • Admission area and nurses’ stations: Email, payroll, electronic health record (EHR) and other office systems.
  • Patient rooms: HVAC controls, EHR access, monitoring equipment and inventory system access.
  • Emergency and operating rooms: Diagnostic, surgical, monitoring and imaging equipment.
  • Pathology labs: EHR and pathology equipment.
  • Conference rooms: Video conferencing, VoIP and other office and communication applications.
  • Pharmacy: Inventory and EHR systems.

However, when these devices are exposed and accessible through the internet, it puts daily operations and patient care at risk. Some of the instances and situations that can cause connected health care devices to be exposed include:

  • Direct device and system access through incorrectly configured network infrastructure systems. This extends to issues like the use of default passwords that make it easy for malicious actors to access network infrastructure and supported platforms.
  • Connectivity requirements to enable the regular function of a system or device. Nearly all connected devices need an internet connection to support their functionality, but this can also create an opening for hackers. 
  • Remote-enabled access to ensure troubleshooting capabilities or access for remote workers.

As the Trend Micro research indicates, just because a device is exposed doesn’t necessarily mean it is compromised. An exposed device simply means the endpoint is connected to the internet and, therefore, discoverable and accessible through a public connection.

The threat of Shodan

Another factor to take into account here is Shodan. As a search engine that enables users to discover internet-connected devices, it represents a beneficial solution for organizations to identify unpatched vulnerabilities and exposed assets within their systems.

At the same time, though, Shodan also offers advantages for hackers, who could leverage Shodan to surveil and gather intelligence about a target organization’s connected devices and systems to support malicious activity.

“[This] is why Shodan has been called the World’s Most Dangerous Search Engine,” Trend Micro’s study notes.

Problem with exposed ports

Although the inherent connectivity of today’s advanced applications and devices are critical to their functionality, it is this connectedness that also puts them at risk.

A notable issue identified by Trend Micro is the problem of exposed ports. Researchers identified a number of different exposed and viewable ports within the current health care industry, including these identified ports that could create the greatest risks:

  • Network Time Protocol (NTP): This is one of the oldest protocols today. Because the connections between NTP servers and computers are almost never encrypted, hackers can leverage NTP protocols for man-in-the-middle attacks that prevent systems from updating appropriately.
  • Teletype Network (Telnet): This is another connection that is rarely encrypted – one in which data is transmitted in clear text, creating the ideal hacker opportunity for packet-sniffing attacks.
  • File Transfer Protocol (FTP): This standard network protocol is a default setting on most web servers, enabling hackers to exploit the protocol and compromised connected servers. This then provides access to all sensitive files supported by the servers and offers the ability to upload malicious files to further the attack. 
Nurse wearing white lab coat and stethoscope sitting at a laptop surfing the internet. Health care and IT administrators must ensure that network activity is encrypted and ports aren’t left exposed.

Other exposed areas to monitor

As Trend Micro’s research shows, exposed ports and hackers’ ability to exploit certain protocols aren’t the only issues to be aware of – items like exposed databases and industrial controllers can pose a threat to health care operations as well.

“Databases are also treasure troves of critical/sensitive/important data, which makes the lucrative targets for hackers,” Trend Micro’s report states. “Compromising exposed building automation controls can allow a hacker to ‘turn off the lights’ inside the hospital. Doomsday scenarios like these are unfortunately not unrealistic, and extreme care should be taken to ensure building automation controllers are never exposed on the public internet.”

Safeguarding health care devices

As Trend Micro’s research clearly demonstrates, any exposed endpoint – from diagnostic and surgical equipment to electronic health record systems and exploitable protocols – can provide the window malicious actors need to interrupt operations and prevent quality patient care.

For these reasons, hospital administrators and IT stakeholders must ensure that sensitive equipment and devices have the proper protection in place, and that the necessary network connectivity doesn’t result in these devices being exposed via public connections.

To find out more about connected devices in the health care industry, read Trend Micro’s article and full report.

Read More HERE