Increasing outbreaks of ransomware and cyberattacks within the healthcare sector have impacted IS departments severely, causing CIOs to scramble each time a vendor presents a health information technology (HIT) device. Cyber security strategies to keep up with the increasing number of cyberattacks have become a priority for the IS leadership.
Hidden Cobra, WannaCry, Petya, NotPetya, and other threats are costing the healthcare sector dearly both in monetary loss and by placing the patient’s protected healthcare information (PHI) at risk.
A “July 2016 report showed the healthcare industry is hit significantly harder by ransomware than any other sector — approximately 88 percent of attacks hit hospitals.” No indication shows that the cyber attacks will let up anytime soon.
The vulnerabilities that attackers are exploiting vary but most commonly include connected devices with standard operating systems with mass deployment on a consumer level. For example, devices using legacy operating systems including Windows XP and Windows 7. Environments utilizing even the most modern operating systems also have vulnerabilities.
For example, Smart TV’s are supplied to hospitals using a third party app running on each TV to serve up patient infotainment content. While this is an elegant method to deploy the solution, what risks does this model open to the hospital?
Craig Young, a principal researcher at the firm Tripwire, says that such cyberattacks “likely are network based attacks on smart televisions that are launched from other compromised devices on the same wired or wireless environment.” Young goes on to say that “IP layer attacks, where someone connects to the television through the network and compromises the embedded web browser are far easier to carry out. And, given the spotty record of smart TV makers of patching their platforms, such an attack is likely to work.”
Why are smart TV’s such a concern? Young says that “The devices are popular – more than 200 million have been sold globally. Under the hood, many are indistinguishable from general purpose computing devices. Many run variants of the Linux operating system and support third-party applications. They are typically equipped with storage, memory, microphones and even cameras.” Smart TV’s are created for the masses and are long lived which are ‘breeding-grounds’ for cyberattacks.
The article entitled “Researcher Says 9 in 10 Smart TVs Vulnerable to Broadcast-based Attacks” published by The Security Ledger says that “There have been a number of demonstrations and public reports of attacks on smart TV platforms. Last year, Researchers at Pen Test Partners adapted an Android snooping application to run on the Sony Bravia, a smart television set that runs on the Android mobile operating system. Words captured by a mic attached to the TV were rendered as text and sent to a remote laptop.”
Additionally, the article says “In December, Twitter user Darren Cauthon of Olathe, Kansas became an Internet sensation for showing a relative’s LG smart TV on December 25th crippled by Android ransomware. And, in March, the web site WikiLeaks on Tuesday published thousands of documents that it claims are hacking tools developed and used by the U.S. Central Intelligence Agencies to spy on and surveil targets. Among the targets were Samsung smart TVs.”
Similar to the vulnerabilities of Smart TV’s, more prevalent are the attacks that have besieged Windows-based devices. Medical devices created by Bayer recently became infected with WannaCry ransomware in hospitals within the US. These devices were running a Windows operating system, again, designed for the mass market with hundreds of millions of copies in use.
What can IS departments and CIOs do to minimize the threat and to reinforce the front lines of their cybersecurity initiatives?
When exploring devices, look for the one that does not allow the installation of 3rd party applications. No other software, no services, nothing. Only firmware and patch updates from the manufacturer. This is the ONLY way to ensure that risk is minimized.
To expound on that thought, the most reliable solutions available for HIT feature custom hardware and software with a proprietary design, built and maintained with security as the primary focus. Such solutions employ a stripped-down, custom Linux-based, or a completely proprietary OS which is a high point of defense against cyber threats. Equipped with a non-standard OS and hardware, featuring what is essentially a black box, not widely available to the public and therefore it does not become a likely target. Such lean architecture allows for a much safer network as compared to systems that primarily deploy widely available and targeted technologies such as Microsoft Windows, Raspberry Pi, and Smart tvs.
Intentionally designed for a single purpose with deliberately limited resources, the hardware is only equipped with the required features to perform the intended task. They are not a PC, they are not running a full OS, and they are inaccessible to users. These proprietary solutions only communicate with the core systems and server software and do so sparingly.
To learn more about MEDI+SIGN Digital Patient Room Whiteboards, how they prove to be among the most secure devices in the hospital and how they are designed to counteract cyber attacks, please visit us at www.medisigndisplays.com.
12 Healthcare Ransomware Attacks Of 2016
Written by Erin Dietsche
WannaCry attack infects Bayer medical devices in US hospitals
Written by Mackenzie Bean
Beckers Health IT & CIO Review
MEDI+SIGN is a registered trademarks of Specialized Communications, Inc. Other company and product names may be trademarks of their respective owners.
© 2017 MEDI+SIGN® All Rights Reserved