Hacking hospitals: Cyber attacks can result in physical harm
Independent Security Evaluators (ISE) published a study that demonstrates security flaws to be pervasive within the healthcare industry.
The research found that adversaries could deploy cyber attacks that result in physical harm to patients. 100% of the hospitals investigated all had very serious security issues, suggesting broader implications across the entire industry.
Examples: Hacking hospitals
This in-room mobile workstation was left unlocked by hospital staff during an actual patient’s stay at the E.R. Researchers were able to keep the session active as long as necessary by interacting with the mouse and keyboard:
The following diagram shows how an attack that disrupts the accurate delivery of medicine can directly affect a patient’s health. In this case, altering a medicine dispensary’s inventory to produce the wrong medicine, or wrong dosage:
“The industry today is focused almost exclusively on protecting patient records,” notes ISE founder Steve Bono. “We set out on this research to determine what are the threats to patients lives, and how realistic are those threats.” Bono explains the research impact, stating, “We found those threats to be very real, and worse still, the industry is ill-prepared to effectively deal with them.”
Over the course of 24 months, the researchers investigated 12 healthcare facilities, 2 healthcare data facilities, 2 healthcare technology platforms, 2 active medical devices, and a host of other devices and applications.
The research proved that remote adversaries can deploy attacks that target and compromise patient health. “Security vulnerabilities in healthcare are a result of systemic business failures,” says Ted Harrington, Executive Partner at ISE. “We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more.”
ISE’s first presentation of the hacking hospitals research will happen at RSA Conference in San Francisco.