While the cost of a data breach can be significant in any industry, healthcare delivery organizations (HDOs) face particularly high expenses. As a regulated industry, security incidents must be reported and can often result in penalties. However, what happens when someone dies as a result of a cyber attack? 

On Thursday, September 17th, the first known death from a cyberattack was reported at the University Hospital Düsseldorf  where cyber criminals hit the hospital with ransomware, holding encrypted data and computers hostage until the hospital pays a ransom. As a result, a women in a life-threatening condition was sent to a hospital 20 miles away and died from treatment delays. So what is the long-term impact to the University hospital's funding, patient numbers, standing in the academic and local communities, and it's future medical students, doctors, and other medical professionals who want to study or work there?

Currently medical malpractice suits run to tens of millions of dollars in the US. However, HDOs need to ask themselves, what is going to be the reputational cost when patients expire on the operating table or while connected to a medical device that is hacked by cyber criminals. 

At this point many executives would accusing me of raising fear, uncertainty, and doubt or FUD as it's also known. But am I? The German woman who died in Düsseldorf when hospital IT systems were attacked with ransomware makes this very real. I would wager that the recent German case is not alone and that many other deaths caused by hackers or weak cybersecurity have simply been reported in a different way, covering up failures in IT and IoT equipment as to absolve manufacturers and providers from potential legal liability from families and regulators.

How Easy is it to Hack into Medical Devices? 

Ethical hackers, like Barnaby Jack, demonstrated how easy it was to hack a medical device nearly a decade ago. Ever since then, security conferences have featured numerous hack-a-thons and on-stage demonstrations on how to hack an infusion pump, X-Ray machine, or other pieces of medical equipment.

Last year, researchers at Ben-Gurion University of the Negev demonstrated how easy it was to intercept medical PACS images and change them to add or remove tumors while fooling the majority of radiologists and AI software alike. Similarly, at Cylera last year, we discovered an attack vector that can change the content of a medical DICOM image to include malware that can be used to infiltrate the healthcare network, simply by sharing or viewing a PACS image, something that happens thousands of times a day in every hospital.

This is not science fiction or FUD. This stuff is out there in the public domain and working exploits are most definitely in the wild. Another hospital or an entire health system the size of UHS could be attacked tomorrow and rendered unable to treat patients by a cyber attack against vulnerable IT or IoT assets

Healthcare providers around the world, need to gain a better understanding of what assets they have connecting to their networks and what risks each of those assets represents, not only to any patients which may be attached to the device or being treated by such a system, but also to the broader healthcare network. Any endpoint asset could be used as an infiltration vector and foothold for expanding the attack. And that includes tens of thousands of medical devices and other simple IoT 'connected' systems in each hospital. Few of which are properly managed or patched regularly.

You don't need a wooden Trojan horse to get inside the perimeter of a hospital network, just access to an insecure endpoint device. That could be an unpatched physician's personal laptop, or something seemingly innocuous like a Real Time Location Tracking System (RTLS) used for keeping track of beds and other equipment between buildings. Identifying and risk assessing all your assets is absolutely critical today, and is also a requirement of the HIPAA Security Rule in the United States wherever a device contains PII or PHI. According to HIPAA, risk analysis should be to NIST SP 800-30 standards.

But it’ s not just a risk analysis that is needed to protect patients, providers also need to ensure that they have put in place adequate protections and compensating security controls. This is where many HDOs come unstuck - they simply don't have the staff cycles to even evaluate the risks, let alone remediate potential life threatening problems, even though they may already have some of the tools in place to segment high risk devices from the rest of the network.

Automate your Risk Management

The Cylera MedCommand platform automates this entire security risk management workflow identifying and then adding HIoT devices to your asset management system, and risks to your GRC and risk management tools. It identifies IOCs and creates alerts via an existing SIEM or MDR, while talking directly with an existing NAC to automatically isolate and quarantine any compromised endpoints before patients are put at risk.

Learn more or request a demo to understand how Cylera has used artificial intelligence and machine learning to simplify and automate what would otherwise be a highly labor intensive and cumbersome task.