The radiology landscape is pocked with cyber mines. And it’s getting worse. Legacy imaging systems are connected to picture archiving and communication systems (PACS), which are being linked to electronic medical record (EMR) systems and best of breed IT systems, as hospitals increasingly move to enterprise imaging. These make tempting targets for hackers. And the worsening situation is being caused by the best intentions.
Extending the life of a legacy system to save money is one. Another is patient engagement. Spurred by patient demands for increased access to their data, as well as “Meaningful Use” mandates from the federal government, providers have created a plethora of patient portals.
“This is where the real vulnerability is,” said Krishna Kurapati at the Healthcare Information and Management Systems Society (HIMSS) 2017 meeting in February. Kurapati, the CEO of QliqSOFT, a provider of secure messaging for doctors and nurses, noted that patient portals typically are tightly integrated with the EMR system. This makes patient portals a prime target for hackers.
Attacks On Imaging
Legacy imaging equipment and outdated medical IT systems are easy targets. Often kept functioning years beyond their expected lifetimes, these systems serve as “pivot points” for cyber criminals. They are weak links by which hackers can get into medical information technology systems.
What makes them weak is their reliance on obsolete operating systems (OS) like Windows NT and XP, which do not have up-to-date security. Even attacks with outdated malware like Conficker can succeed.
Conficker, a computer worm that exploits weaknesses in early versions of Microsoft Windows, was first detected in 2008. “It basically disappeared in early 2009, but in healthcare we see it over and over again because of legacy systems,” said Alex Wirth, a healthcare solutions architect for Symantec, who spoke at HIMSS 2017.
OS, like NT and XP, are no longer being patched for security vulnerabilities. An outdated operating system made a C-arm X-ray system vulnerable, according to a report by TrapX Security, a cybersecurity firm. In this instance, the security company traced the malware to a backdoor in a fluoroscopy workstation running Windows XP. The intent of the attacker was to steal patient data, according to TrapX.
The attack was one of several in the oncology department of a hospital. Each attack targeted medical devices running out-of-date Windows OS. These are “quite vulnerable and have no endpoint detection cyber defense installed,” according to the TrapX report.
In one attack, a hacker gained access to a hospital network through a backdoor in an X-ray system running Windows NT. A different attack was foiled by TrapX, which created a decoy PACS system. The decoy led the attacker to believe the hack had succeeded. TrapX traced the malware to a backdoor in an MRI system running an unpatched OS.
Medjacking for Dollars
Devices vulnerable to such “Medjacking” include PET and CT scanners, as well as infusion pumps, medical lasers, ventilators and dialysis machines. The common denominator is their outdated OS.
Medjackers may be political operatives or disgruntled employees, according to Wirth. But usually they are cyber criminals motivated by money.
Patient records can be sold on the black market for many times that of a credit card number. And cyber criminals don’t even have to steal patient data. They can hack an information system, encrypt the data, then demand payment to decrypt it. This kind of attack, called ransomware, is growing in popularity.
Ransomware attacks against all industries, not just healthcare, quadrupled from 1,000 per day in 2015 to 4,000 per day in 2016, according to the U.S. Department of Justice. The malware is usually delivered through “spear phishing,” in which an unsuspecting person in the network opens an e-mail from what appears to be — but isn’t — a known person.
Once the data is encrypted, it can’t be decrypted by anyone other than the cyber criminals.
And not all legacy systems are X-ray machines or scanners. Many are holdovers from the last PACS or IT upgrade, according to Jamie Clifton, director of product management at BridgeHead Software. Installers of the more efficient IT systems are either unable or unwilling to bring all the data into the new equipment, Clifton told Imaging Technology News (ITN) in an interview at HIMSS 2017. “Every time you do an EMR migration, you generate a vast number of legacy applications,” Clifton said. “It is a spawning ground.”
The interfaces often become so complicated that, when problems occur, the IT staff has trouble finding the root causes. That can be a nightmare from a cybersecurity perspective. “If you can’t tell what’s going on with your system, you won’t be able to tell if they are being attacked,” he said.
Healthcare providers should sack these legacy applications as soon as possible, according to Clifton. Yet there is a general sense of apathy working against doing so. “We have too many healthcare organizations not paying attention to this,” he said.
As noted by the FDA in its postmarket cybersecurity guidance, Postmarket Management of Cybersecurity in Medical Devices, “networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.”
This vulnerability, according to a statement issued early this year by the FDA, “increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices.”
Attacks against a patient portal might come if a patient accesses medical records while on a public network. In his HIMSS 2017 presentation, Kurapati used the example of a Starbucks patron accessing clinical data. Anyone hacking the public network, regardless of its physical location, could plant malware capable of invading all connected IT systems, he said.
Patient portals are also vulnerable to denial of service attacks during which thousands, even millions of “bots” attack a site. This kind of attack can bring down not just the patient portal, but the EMR and all other connected IT systems.
In his HIMSS presentation, Joe Carson, senior director of sales engineering at TrapX Security, described the risk as shared among providers and manufacturers: “Healthcare organizations (have to) do their part to prevent attacks from being successful, to mitigate attacks and put controls in place; and device manufacturers have to ensure that they are patching and applying everything they can to mitigate attacks against devices.”
Barrett recommends that providers look for and implement ways to reduce the risk of a successful cyber attack. He also suggests they seek ways to mitigate damage after a breach occurs. At HIMSS 2017, Barrett told ITN that “it is not a matter of if you will ever get hacked, it is a matter of when. And when you do get hacked, it’s how quickly you can recover from the attack.”
Mitigating the damage means more than just minimizing the monetary cost, he said: “You want to minimize the damage to the practice’s or hospital’s reputation.”
Barrett advocates an audit to identify gaps and vulnerabilities; putting in place policies, procedures and controls to mitigate the damage; and training staff in the use of them, “whether that is through internal or a third-party assisting your organization.” The Electronic Healthcare Network Accreditation Commission (EHNAC) offers such services to vendors who then assist customers, he said.
Overall Risk Rises
The risk of cyber attack is growing with the rising popularity of ransomware. This particularly insidious type of cyber attack encrypts rather than steals patient data. After successfully infecting a system, typically by enticing an employee to click on an e-mail carrying malware, cyber criminals encrypt patient data then demand payment for its decryption.
Standing up to such an attack takes planning, according to Symantec. At HIMSS 2017, the cybersecurity company — through sponsored speakers — advised backing up computers and servers regularly so that replacement data is available; securing mapped network drives with a password and access controls; downloading the latest patches and plug-ins for operating systems to boost security against known malware; and using an e-mail security product to ward off spam e-mails that may contain malicious attachments.
If a computer is infected and its data encrypted, isolate the infected computer and replace the encrypted files with backed up files that are known to be good, Symantec advised. What you should not do — but many do anyway — is pay the ransom.
There is no guarantee the attacker will unlock your computer or decrypt your files, Symantec warned. And you can be sure the money will be used to fund more attacks.
“It is estimated that the bad guys invest 40 percent of the money they make into developing new attack technologies,” said Symantec executive Wirth.
Driven by the need to collaborate, as well as increase efficiency and lower costs, processing operations and data are moving into the cloud — or, more exactly, to data centers that are accessed over the internet. “People are taking advantage of the fabulous opportunity to collaborate and get their jobs done using cloud applications,” said Deena Thomchick at HIMSS 2017. The problem, according to Thomchick, senior director of cloud security at Symantec, is that “your data is going all over the place.”
Not surprisingly, a big concern is data compromise. But patient data may actually be safer in some clouds than in on-premise archives, said Clifton of BridgeHead Software. Few hospitals perform penetration tests as often as large public cloud providers do, he said.
The hurdle for putting all patient data on the cloud has more to do with efficiency than security. Cloud-based systems are not fast enough, according to Clifton. “The data simply can’t travel across the wire in time,” he said.
This is why the ideal solution may be a hybrid, according to Clifton — an on-premise archive of patient data with a backup copy in the cloud, ready to be used in the event of a denial of service attack or serving as a backup in case of a ransomware attack.
Although there is no sure way to protect patient data or medical systems from cyber attack, much can be done to keep attackers at bay or, at least, mitigate the damage they do. In his HIMSS presentation, Wirth recommended five steps to improved security. First, identify assets and risks; second, protect against attack by training staff about cyber risks and installing protective technology; third, monitor assets continuously to detect attacks; fourth, plan a response to mitigate the effects of an attack; and fifth, plan how to recover from an attack.
When it comes to ransomware, the U.S. Department of Justice recommends training employees to recognize danger so as not to click on e-mails that may be carrying malware. Strong spam filters can stop such phishing attempts, just as outgoing and incoming e-mails can be scanned for executable malware. Firewalls can block access to known malicious IP addresses. Security holes in operating systems, software and firmware can be patched. Drives and servers can be regularly scanned for viruses and malware.
But planning and preparation to increase cyber safety take time and money, Wirth said. This is why the organization’s leadership has to establish its tolerance for risk. Once established, defenses should be fortified to that level. The trick is to minimize risk and maximize response to an attack, he said.
Now is the time to do so.
“I think healthcare just got into the crosshairs of the bad guys as an opportunity to make money,” Wirth said. “So I believe it is going to get worse before it gets better.” itn
Read the related article "Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff."
Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.