Internet of Things-Networked Medical Devices a Looming Compliance Liability

It’s a fast-rising problem that could prove to be a further compliance nightmare for already besieged healthcare facilities: Internet of Things-networked medical devices which, if not data-encrypted, could easily be hacked and data-dumped by exploitative cybercriminals. According to a January 2016 Gartner Report, by 2020 there will be 26 billion devices connected to the Internet via the Internet of Things (IoT). A significant portion of those objects will be medical devices, which, further studies revealed, can be easily hacked by seemingly ubiquitous and ruthless hackers determined to make healthcare facilities pay for simply being – so hackable? In fact, hacking hospital devices has gone on for years, and has become so prevalent that it now has acquired its own term: medjacking, a.k.a. medical device hijacking.

According to Security Metrics, there are four main groups of networked medical devices capable of being Internet-connected. These four groups are:

• Consumer health monitoring, like FitBit
• Stationary devices, like chemotherapy dispensaries
• Wearables (e.g. portable insulin pumps)
• Embedded devices (e.g. pacemakers)

Stationary medical devices are the most targeted group, and include everything from X-ray scanners to MRI machines to CT scanners to LASIK surgical devices, blood gas analyzer, dialysis machines, and more commonly-used hospital care devices.

Statistics, and The Dark Net Connection

Another important statistic related to the cyber threat to networked medical devices is one reported by the HHS: 78 percent of physician practices involve electronic medical records systems (EMR/EHR). EMR (electronic medical records) systems, in particular, are especially vulnerable to hacking. And, hackers are well aware that patient medical data is worth roughly 20-50 times more than credit card data. Why? Apparently, the patient data is worth big bucks on Dark Net, a Web sub-culture or black market where such data is used by subversives and criminals in an opportunistic, exploitative way.

The Medical Hacking M.O.

We’ve already seen what motivates hackers to do what they do. But, how do they do it, and with such stealth and ruthlessness, you ask? With medical hijackings, a.k.a. medjackings, well-trained hackers can quickly penetrate the often weak cyber defenses of healthcare facilities, establishing a command and control “hold,” which they use as a pivot point to then expropriate medical data institution-wide. Once having hacked inside healthcare networks, the cybercriminal can then set up a backdoor for himself for later access and infect systems so they remain vulnerable to future attacks.

How to Prevent Medjacking

According to a TrapX Security Report, targeted attacks on hospitals and clinics and their medical equipment are expected only to increase in the coming years, with IoT devices to be the favorite targets of hackers, likely. Here are some medjacking prevention tips for medical facilities based on the TrapX security report:

• Remediate (reset or encrypt passwords) on existing devices – especially if you’ve already been targeted by cybercriminals.
• Deploy manufacturer-prescribed fixes for both hardware and software
• Have a complete HIPAA compliance evaluation and overhaul
• Only utilize those medical device makers who value cybersecurity at least as much as they do sales
• Employ effective access management, especially via USB ports
• Establish secure network zones for medical devices, and isolate them behind dedicated internal firewalls and IP address-specific services
• Securely wipe retired devices of patient data before hardware upgrades

And remember, if your medical devices aren’t protected from hijacking and exploitation, that means your organization isn’t safe from HIPAA compliance violations, either. A complete IT network review and overhaul by professionals is also a good way to stay in compliance and safe from medjacking.

Author: Aaron White, Date: 27th September 2016