ICS security in healthcare: why software vulnerabilities risk patient safety
The lack of healthcare cybersecurity is one of the most significant threats to the sanctity of the global healthcare industry. This is made evident by the fact that in 2020 more than 18 million patient records were affected by successful cyber-attacks on the U.S. healthcare system.
Health professionals should not take this issue lightly, as financial assets and intellectual property are at risk. Additionally, IT professionals must address healthcare data security issues, i.e., Electronic Health Records (EHRs), while also committing to helping patients overcome the aftermath of healthcare security breaches. In 2021 alone, more than 40 million individual records were breached, and these numbers are increasing.
Let’s see how ICS security vulnerabilities can threaten patient and hospital safety.
The Need for Industrial Control Systems (ICS) in Healthcare Environments
Hospitals routinely deal with high-value sensitive information from patients, doctors, diagnosticians, and other stakeholders. This includes assets with high monetary value like personal identity information, patient’s health information, bank accounts, and credit card numbers.
For our well-being, these systems and processes must function optimally at all times. However, if malicious actors access our healthcare ecosystems, a lot could go wrong, from compromised pacemakers and insulin pumps, to comprehensive data breaches.
Any lack of medical device security can wreak havoc on a healthcare organization. However, the threat often comes from within, in the form of human error, unplanned alterations, and outages, all of which can be dangerous. At the same time, defective software should also get some of the blame. Software vulnerabilities and faulty code on medical devices can endanger patient safety and cybersecurity.
This has led to a greater need for the implementation of Industrial Control System (ICS) security in health care. While “ICS” is an umbrella term that brings to mind factories, and utilities, the ubiquity of these devices in health care facilities raises the need for more security in this area.
Strong ICS security for medical devices would enable health care providers to take defensive measures to reduce the risk of exploitation. Best practices include minimizing the exposure of these devices to the network, isolating control systems entirely where possible, and using VPNs for any administrative tasks.
Prioritizing Patient Safety and Protection
Personal Health Information (PHI) is protected by The Health Insurance Portability and Accountability Act (HIPAA), which states that any person’s past, present, and future information provided to a health care provider must be collected, stored, shared, and maintained under HIPAA conventions.
Hospitals need tight cybersecurity, as the U.S. government has warned of new malware attacks on health care systems. These attacks are increasing at an alarming rate, and they pose a severe threat to hospitals and patients by blocking access to important medical information. In Q3 of 2021, 68 ransomware attacks were carried out against healthcare institutions.
Ransom groups target healthcare more frequently because they believe that by attacking this industry, they can get money quickly due to the urgent need for medical data and the widespread notoriety created by such an attack.
Moreover, cybercriminals also threaten to publish or sell the data online, which is leading to more companies willing to pay the ransom than ever before. Federal authorities are continually working to educate the healthcare sector about ransomware prevention.
Medical Device Misconfigurations – A Significant Threat to ICS
Ensuring the safety of patients who use medical devices begins with asset management, i.e., registration of all medical IoT devices in a healthcare setting.
It is vital to understand medical IoT security configurations and any vulnerabilities that may compromise patient safety. Misconfigurations, when left unaddressed, can lead to privacy breaches, especially at public database portals. It is all the more important when you consider that many of these devices are old, outdated, and using end-of-life operating systems. It can get very difficult to update device configurations or apply security patches.
Mobile devices have eased access and data sharing, but this has also led to a greater risk of privacy breaches, identity theft, ransomware, and other cyber-attacks. Many healthcare institutes allow login to portals from mobile devices. These mobile devices are not secured or do not have any security standards. Unsecured devices have high chances of ransomware, malware, and privacy breach attacks.
Systems that enable medical IoT device administration should be protected with multi-factor authentication, and reliable authorization methods in order to gain access.
It is also important to note that hospitals worldwide use medical devices with the default passwords they came with. This is a clear invitation for an attacker to take control of devices and manipulate their behavior, putting patient safety at risk.
Additionally, many of these connected medical devices are left with SSH, FTP, and other standard management protocols open for anyone with the means to access them. In fact, sometimes they are even connected to the internet, unprotected and without any firewall to stop access.
In many cases downloading malicious applications and software from unverified and non-trusted sources is a big reason for privacy breaches on mobile devices. These attacks can compromise the security of employee data within the medical portal or application.
The Cost of Ignoring Cybersecurity for Hospitals
Over 600 ransomware attacks on U.S. healthcare institutions cost more than $21 billion in 2021. Another report estimates the average cost of a healthcare cyber-attack at $6.45 million. Malicious attacks on hospitals cost $4.45 million on average.
Weak and outdated cybersecurity systems can be a primary reason for such breaches and financial losses. It is better to invest in new and more reliable technology for cybersecurity than to lose tons of money in such attacks.
Protect Your Hospital and Healthcare Institutions
Hospitals and medical entities are very attractive targets for malicious actors and cyber attackers. It is essential to protect these institutions’ sensitive data against potential cyber risks. An inability to take necessary measures, and failure to secure hospital and patient data under HIPAA can result in penalties and legal action against responsible persons and departments.
There is no denying that the implementation of internet-connected medical devices has been lightning fast, leaving no time for IT experts to automate the management or update processes of these devices.
It is imperative that healthcare service providers take their ICS security seriously, fix or update software as necessary, and move on to true smart devices. These practices can help them manage and mitigate risk in existing infrastructure to ensure that patient privacy and safety goals are met.
About the Author: Isla Sibanda is an ethical hacker and cybersecurity specialist based out of Pretoria. For over twelve years, she’s worked as a cybersecurity analyst and penetration testing specialist for several reputable companies – including Standard Bank Group, CipherWave, and Axxess.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.