While cyber experts and law enforcement have been raising the red flag for years about the security vulnerabilities of networked medical devices in healthcare, the chaos of the coronavirus pandemic has created the perfect storm for hackers to exploit these weaknesses.
As crowded hospital emergency rooms and ICUs in major U.S. cities try to keep up with demand for medical services, the networks of these healthcare organizations face a rising threat level from cybercriminals probing for weaknesses.
Interpol on Saturday issued an alert warning that cybercriminals are using ransomware to target healthcare organizations already overwhelmed by COVID-19 and noted a significant increase in detected health system attacks since the start of the pandemic.
Cybercriminals are “using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid,” the international security agency said.
Interpol’s Secretary General Jürgen Stock warned “locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.”
Medical devices are easy targets for hackers who use them as entry points into hospital networks, according to experts.
“Your network is only as strong as the weakest link,” said Nick Yuran, CEO of cybersecurity consulting firm Harbor Labs in Baltimore. “If a hacker can get into the clinical network by exploiting a vulnerability in a medical device, it can be used as a pivot point to get to those more critical elements of the network.”
Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek in Austin, Texas, said both criminals and nation-state attackers are figuring out how they can leverage the crisis to penetrate hospital networks. “The bad guys know healthcare is very vulnerable,” he said.
“The attack surface” in healthcare, thanks to increasing uses of telehealth and remote patient monitoring during the coronavirus outbreak, “has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” Barlow added. “You’re never going to get that genie back in the bottle.”
When it comes to medical devices in the current cyber threat environment, Barlow said he is less worried about devices already connected to the network within a healthcare organization prior to the coronavirus outbreak.
“I’m not saying they were highly secured but that was at least an existing, known set of vulnerabilities and challenges. What I’m more concerned about are these temporary medical facilities and mass movements of equipment,” Barlow added.
Justin Fier, director for cyber intelligence and analytics at Darktrace, a cybersecurity firm headquartered in Cambridge, London and San Francisco, said medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm. Infusion pumps and CT scanners are “plugged into other systems and you have to assume that a fraction of those will be taken off line by something as destructive as ransomware,” he warned.
Other threats to devices Ransomware is just one security problem that’s plagued the industry.
Last October, FDA warned healthcare providers about a set of 11 cybersecurity vulnerabilities that may pose risks for certain medical devices and hospital networks. The vulnerabilities, called URGENT/11, exist in IPnet, a third-party software component that supports network communications between computers, according to the agency.
“URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment,” the FDA reported.
FDA said at the time it was not aware of any confirmed adverse events related to the vulnerabilities. But the agency warned that the software to exploit these vulnerabilities is publicly available and that the risk of patient harm, if left unaddressed, could be significant.
The threat is particularly insidious because the vulnerabilities potentially allow attacks to occur undetected and without user interaction, the agency warned. Additionally, “because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”
FDA urged medical device manufacturers to work with healthcare providers to determine which devices might be affected by URGENT/11 and develop risk mitigation plans. To what extent that occurred is uncertain.
Susan Niemeier, chief nursing officer for infusion pump maker Ivenix, is concerned about these devices and in particular about the cybersecurity vulnerabilities of the tens of thousands of legacy devices used by health systems.
“We know that the legacy pumps out there have been known to be hacked,” Niemeier said.