There are many reasons why healthcare institutions have poor cybersecurity: most resources go towards providing patient care and not enough is left for cybersecurity; not all hospitals have a dedicated cybersecurity team; cybersecurity policies and authentication procedures are difficult to implement due to many users who rotate within the hospital, and more.
In a recent paper, though, Trend Micro researchers zeroed in on two particular risks these organizations are susceptible to and they don’t feel are getting enough attention: Internet-exposed devices and threats to their supply chain.
By leveraging the IoT search engine Shodan, the researchers have discovered exposed medical systems, healthcare software interfaces (patient scheduling/appointment, patient record maintenance), misconfigured hospital networks, industrial controllers, protocols and databases that should not be viewable publicly.
One of the more common medical systems that they found exposed online was pharmacy management software.
“This specialized software is used by pharmacies for various integrated management functions such as drug inventory, drug ordering, OTC management, narcotics tracking, patient data, patient prescription history, point-of-sale (PoS) transactions, drug insurance claims, prescriptions and refills, label printing, etc. Hospital pharmacies use similar management software that are integrated with the hospital’s EHR/EMR systems and with the automated drug dispensing machines found in clinical departments and patient care floors,” the researchers noted.
“Exposed medical systems can potentially jeopardize critical data such as patients’ PII, medical records, and financial/insurance information. Perpetrators can also disrupt hospital, clinic, and pharmacy operations by corrupting the data, issuing incorrect device commands, infecting the systems with ransomware, etc.”
Supply chan attacks
Entry points that threat actors can use to compromise the hospital supply chain range from manufacturers to distribution centers and transportation companies, from third-party contractors to developers of software and mobile apps hospitals use, from past to non-core services staff.
“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cyber security practices in place at the suppliers,” the researchers pointed out.
“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well.”
Insights and advice
To help those in charge of healthcare institutions’ cybersecurity efforts, the researchers pointed out the common cyberattack vectors across critical systems inside hospitals and applied the industry-standard DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability) threat model to calculate the risk ratings for these vectors.
They also offered advice on how to prepare adequate defenses, based on the HITRUST Common Security Framework (CSF). (The framework can be used by all organizations that create, access, store or exchange sensitive data, and takes into consideration the regulations and standards relevant to the healthcare industry: HIPAA, PCI-DSS, ISO, NIST and GDPR.)
This advice includes technical and non-technical recommendations, as well as pointers on how to manage supply chain threats.