Cyber Vulnerability in Health Care Part I: Is Your Organization At-Risk?
Cyber-Vulnerability in Health Care: Is Your Organization At-Risk? Part I
by Greta Kviklyte
Life Saver, AMC
Co-authored by Kim Murray, RN, M.S.
posted on Jul 13, 2017, at 7:54 pm
CYBERSECURITY, CYBER ATTACK AND CYBER VULNERABILITY. These words can strike fear into the hearts of Americans and people around the globe. In May, the WannaCry ransomware attack held the data of millions of people hostage. Hackers demanded payment for access to critical files and documents, reports ABC News, and the attack quickly spread around the globe through fishing software. But, there is a much darker side to cyber attacks—a side with the potential to cost lives.
Cyber attacks are not new, but the concept of a cyber attack on health care facilities appears that way.
By some estimates, cyber attacks on health care facilities, especially hospitals, are increasing at alarming rates, with 43 percent of all attacks in the UK impacting health facilities. However, the Cybersecurity Act of 2015 is on the path to bring health care industry security approaches into alignment with modern standards of cybersecurity.
The primary impact of the Act established the Health Care Industry Cybersecurity Task Force (HCICTF), and the group’s initial report was just completed and made public in June. Unfortunately, the report details a grave state of health care cybersecurity, highlighted more recently by the Peyta ransomware attack in late-June.
Although the Peyta attack was not as broad as WannaCry, it did appear to impact health care facilities more, reports USA Today. The hack brought the pharmaceutical giant, Merck, to its knees, potentially delaying access to medications and patient-assistance programs (PAPs) for millions of people. But, what exactly does a cyber attack on health care look like?
Does it simply mean facilities lose access to patient records, or could it be more sinister?
Unfortunately, the answer can be both, and the latter was the just proven to be deadly during a mock cyber attack.
As a health care organization, you are at risk, and the statistics are not in your favor. Health care organizations appear to be new, top target for cyber attacks, which may be due in part to past payment of ransoms demanded, explains Bill Siwicki of Healthcare IT News. Think about everything in your organization that could be impacted, ranging from computers to patient monitors. You are at risk, but you have the opportunity to do something about it. This two-part, in-depth review will give you the information you need to know to understand cyber vulnerability in health care and how to protect your organization.
What Did the HCICTF’s Report Find?
The Task Force’s June Report found significant cyber vulnerabilities for identify theft, ransomware, targeted nation-state hacks, supply chain disruptions, theft of research and development, equipment damage and more in today’s health care systems. Yet, most health facilities lack advanced security talent and systems, meaning the system’s used to encrypt patient and facility data typically have minimal security standards. Meanwhile, legacy equipment and systems may not even possess multi-stage authentication, if any login credentials are needed at all. The problem only gets worse from here and includes some of the following findings:
- Legacy systems in health care can have up to 1,400 cyber vulnerabilities.
- Discrepancies between state, federal and local governments make implementing appropriate cybersecurity measures difficult.
- Existing systems make it difficult to detect attacks until after they have occurred.
- Most health facilities assume their cyber vulnerability is low.
- Attacked systems of any type, even computers not used by direct-care professionals, like nurses and doctors, can have a negative impact on patient care.
The Report also tackles the broad definition of health care. Specifically, the Report’s findings are part of a health care ecosystem, comprised of laboratories, blood and pharmaceutical companies, direct patient care systems, like emergency medical services and consumer devices, mass fatality or emergency response systems, health plans and payers (e.g. insurance companies and Medicaid or Medicare), public health centers, federal response and program offices, health information technology (IT) systems, vendors and users, and medical materials—the so-called health care supply chain.
Any of these entities within the health care ecosystem can suffer a cyber attack, and the digital age of medicine makes an attack even more likely. While legacy systems offered internal management of data, located behind the company’s firewall, the need to share data across organizations has meant making data retrievable from third parties, including patient portals and access to protected health information (PHI). This is where the cyber vulnerabilities become known.
Where Are the Vulnerabilities in Health Care?
Cyber vulnerabilities can exist almost anywhere in modern health care. Even legacy systems, when using newer versions of Microsoft Windows, can be susceptible to a cyber attack, as seen with the WannaCry attack. In fact, WannaCry was the result of a security patch error by Microsoft.
Any Device or System Can Be Impacted
Any device or system that can connect across multiple access points may possess vulnerabilities. Unfortunately, newer technologies, like patient activity trackers, pacemakers, ventilators and patient-monitoring systems are at risk too. Some of these systems, like those in a Medical Intensive Care Unit (MICU) could be responsible for life-sustaining measures. If a ventilator is shut down due to a cyber attack, it could result in someone’s death.
A Worst-Case Scenario of Affected Systems
Take a look at this scenario, and see if you can identify what was impacted:
Jane Doe suffered a myocardial infarction yesterday. She underwent a cardiac catheterization, and due to complications, she has been on a ventilator and external pacemaker since the procedure. Her nurse completed her hourly assessment at 0200, 45-minutes ago. The rhythm of the pacemaker is normal sinus rhythm, and there is a continuing chest rise and fall. While working with another patient, her nurse returns to check on her. Upon a quick glance into Jane’s darkened room, the nurse records her vital signs and moves on. Two-hours later, the nurse goes into the room to perform another assessment.
Unfortunately, the nurse is unable to find a pulse, and the signs of breathing are absent. Jane’s lips have already turned cyanotic, and the nurse activates a Code Blue. After 45-minutes of running the code, Jane is declared deceased by the physician. Upon further review, the nurse had rechecked Jane’s vital signs only five-minutes previously, but the autopsy report finds hypoxia as her cause of death. No other plausible causes of death could be found.
How Is the Example Possible?
The only answer to this scenario is she was not getting any oxygen, so it implies either a problem with the ventilator or the pacemaker. But, the EKG report and the logged vital signs indicate Jane was continuing to breath and maintain a pulse up until the nurse recognized the issue. Upon further review, the problem was not the ventilator, but the system itself.
A cyber attack impacted the health care facility, causing the system to loop the vital sign readings continuously, so Jane appeared to be doing well, recovering from her procedure. Unfortunately, her heart stopped, and she was unable to get oxygen to her brain and body, regardless of the ventilator’s performance.
This example is similar to the mock cyber attack conducted as part of the Task Force’s review of cyber attacks during a Code Blue. The health professionals were unable to identify a problem or reason for their patient’s distressed state until switching to a stand-alone EKG. This showed ventricular fibrillation (V-Fib), but no one could identify the event as a mock cyber attack until they were told what it was.
While this scenario is dark, the actual mock cyber attacks showcased incidents where the responding personnel were able to save the “life” of the mock victim, the mannequin. Moreover, there is no evidence that a medical device has been hacked and resulted in someone’s death as of today. But, Dr. Marie Moe, a security researcher from Norway and her team have successfully hacked both medication infusion pumps and pacemakers, reports ABC News, in the goal of finding better ways to secure these devices.
How to Recognize the Early Signs of a Cyber Attack in Your Facility
Unfortunately, identifying a cyber attack in health care devices relies on being able to recognize when something doesn’t seem right. In addition, health care professionals in your organization need to be able to respond with traditional assessment tools, including manual assessments, like taking the blood pressure or pulse manually.
While taking vitals manually may seem obvious, some health care professionals may have grown dependent on automation and machinery. So, keeping their skills in check and fresh in their minds will go a long way in recognizing a cyber attack on a medical device or system. But, there are a few other indicators of a possible cyber attack you need to understand.
1. You Receive a Message Indicating a Ransomware Attack
This is the most obvious of cyber attack signs. You may receive a message, akin to the demand for ransom in the WannaCry attack. The message may or may not explain the issue, and it may or may not contain a demand to release the system. However, this pop-up is not linked to your system’s anti-virus software.
2. Systems or Devices Are Failing With No Explanation
Systems and devices that begin to experience failures can allude to a possible cyber attack. However, it is impractical to assume any system failure is a cyber attack. So, the general rule of thumb is to take notice when the system or device fails repeatedly with little to no explanation.
3. Legacy Systems Ask for Unusual Information
Legacy systems are at greatest risk for cyber attacks in health care. The key indicator of an attack on this system is the fishing of unusual information, like verifying employee portfolios or access credentials. If any such activity occurs, check with your in-house IT department to verify its authenticity.
4. Email Addresses From Coworkers Are Slightly Askew
Another indicator of fishing lies in emails and communications between users of the system. Always check the email addresses of incoming messages before opening them. If the email address appears to be incorrect, like firstname.lastname@example.org, when email@example.com is correct, it may indicate a possible phishing attempt.
Notice the use of “s” in place of “z” within the domain name, healthcareorganization.edu.
5. Secure Accounts Are Locked When You Try to Log In
Unless you have recently changed passwords, you should not experience any issues when logging into your systems. If your accounts are locked or do not respond to the correct password, it may indicate a cyber attack.
6. Malware Pop-Ups Begin to Occur With Increased Frequency
Malware pop-ups controlled by your system’s anti-virus software may begin to occur, and their frequency will increase. Unfortunately, some of these pop-ups can act as the means of infection, so avoid clicking on anything that pops up on the system. In addition, you should immediately close out any system currently open in your computer or device, and if necessary, reboot the system. This will erase the RAM on the device.
7. A Sudden Change in Speed and Performance Occurs
Viruses take up processing power and speed in computers and devices. Unexplained changes in speed or performance, like the prolonged loading of webpages, may allude to infection. But, try restarting the device first. If it continues, an infection is the likely culprit.
8. New Toolbars or Features Appear
One of the common indicators of a malware infection or cyber attack is the appearance of systems, programs and toolbars that were not installed by you. These toolbars may appear to be part of your browser, or they may exist as stand-alone systems on your device. If they appear, do not click on any of their components as it may activate the virus or malware. Instead, notify your organization’s cybersecurity department.
What About Preparing for and Responding to Cyber Vulnerabilities and Attacks in Health Care?
It can seem like everything and everyone using the internet is out to get your organization, but that is simply untrue. There are good hackers in the world, like Dr. Marie Moe, who work to improve cybersecurity for at-risk devices, companies and systems. But, you still need to know what to do if an attack occurs, which will be discussed in further detail next, in Part II of this series.