When computer hackers breach a hospital system, they work quickly to find valuable patient medical records to smuggle out, while also infecting other computers that might harbor valuable data or protect their unauthorized network access.
The hackers don't directly target patients. But a first-of-its-kind sting operation, set up by a private security firm called TrapX Labs, recently documented how financially motivated computer hackers attacking a decoy hospital network can make changes in networked devices like CT scanners in ways that can compromise patient safety. The hospital network was fake, but attackers were real, TrapX said.
"They obviously understand that medical devices have less security. We saw them fairly immediately go after those medical devices," TrapX marketing executive Ori Bach said.
Protecting against cyber intrusions is a top-of-mind concern at real-world hospitals across the country. This week a group of about 100 security officials from medical device companies, hospitals and security firms gathered at Medtronic's Mounds View complex to discuss ways to manage the security of networked medical devices in hospitals, as part of the annual Cyber Security Summit series.
The meeting followed publication of the Food and Drug Administration's medical device safety action plan. The report revealed that the agency is considering plans to require that vendors ensure software in medical devices can be updated and provide hospitals with a "software bill of materials" that discloses all of the native software contained in device.
Lacking such a requirement today, cybersecurity experts at Minnesota's Mayo Clinic described their hands-on approach to device security during presentations at Thursday's meeting in Mounds View. Before the clinic buys a new medical device, vendors must fill out detailed questionnaires to make sure products meet minimum cybersecurity standards.
Mayo also works to see if the product conforms to industry best practices, like removing software development tools used during the device's design process, since those tools can be helpful to attackers. Mayo employees sometimes work directly with device makers to ensure they take basic security steps such as closing off access to unused ports in a device's configuration file, like a keyboard port for a device that has no keyboard.
"I'm going to be honest — we haven't found one yet that doesn't need any attention," Debra Bruemmer, a senior manager in clinical information security at Mayo, said Thursday.
Because of its scale, the Mayo health system presents a significant attack surface for hackers, with nearly 32,000 network-connected devices from 321 different vendors at hospitals and clinics in five states. That diversity complicates the response to urgent concerns, as happened a year ago with the outbreak of the WannaCry ransomware worm.
"Organizational priorities differ. Mayo's priority is to fix the issue right away. For the medical device manufacturer, maybe it's at the top of the priority list, maybe it's not," said Keith Whitby, Mayo Healthcare technology management section head. "So, for instance, WannaCry — Mayo viewed that as an extremely high-priority issue. And I can tell you today that there are vendors we still haven't heard from, in terms of remediation tactics for that particular event."
WannaCry was a fast-spreading computer worm that allowed the malware to get inside a computer and encrypt vital files until the victim agreed to pay a ransom in Bitcoin. The worm could also migrate to other machines once inside a network.
The impact was muted in the United States, but in the United Kingdom, nearly 19,500 hospital appointments and surgeries had to be canceled as a result, according to a national audit of the cyberattack published this week. And that impact would likely have been more dire but for a security researcher who figured out how to activate a kill switch in the code that stopped the worm's spread.
WannaCry wasn't seen as a targeted attack on hospitals — the malware affected other complex industries with highly interconnected systems, like manufacturing and higher education. But the incident did highlight the health care sector's vulnerability.
Nick Selby, a Texas-based cybersecurity consultant who has worked on teams validating high-profile attacks against medical devices, noted that malicious hackers are very interested in valuable data contained on vulnerable networks.
"Criminal gangs and nation states that target data to be stolen run their operations like businesses, and they do risk-reward analyses and resource allocation just like any business," Selby said. If "there is an entire market in which we can count on security being below average and the value of information to be stolen above average, that is a great target."