Ransomware and denial of service attacks are just a glimpse of things to come: hospitals are the next big target for cyber-attacks and the introduction of Internet of Things (IoT) devices make healthcare even more vulnerable.
Connected medical devices can bring increased patient safety and efficiency, particularly if connected to clinical information systems, but European tech security agency Enisa is warning that introducing such technologies also increases risks.
As a result, it said, hospitals need to change their attitude towards security: "The need for improved, and even remote, patient care drives hospitals to transform by adapting smart solutions, ignoring sometimes the emerging security and safety issues. Nothing comes without a price: hospitals are the next target for cyber-attacks," Enisa warned.
"As the attack surface increases with the introduction of connected devices, the attack potential grows exponentially," the report said. It said healthcare organisations should set specific IT security requirements for IoT components and identify how they will be interconnected, or connected to the internet. The report argues that device manufacturers need to involve hospitals from the very beginning when designing systems and services.
ENISA executive director Udo Helmbrecht said: "Interconnected, decision making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions."
The report warns that there are "several serious vulnerabilities that come with the use of IoT in healthcare that are difficult to address."
Part of the problem is that hospitals contain all sorts of data that is tempting to hackers. Personal health information is considered even more valuable than financial information by criminals, while cracking hospital systems could also give them access to prescription drugs.
"There is an increasing level of dependence on IoT devices, which are not known for being particularly resilient. Our dependence on connected technology is growing faster than our ability to secure it - in areas affecting human life and public safety a higher standard of care is warranted. This is particularly true for some medical devices that are vitally necessary for the survival of patients," the report said.
Unfortunately, IoT start-ups often consider security to be a low priority, or an expensive headache that can be dealt with later on. That's a problem when those systems can potentially make the difference between life and death.
"When implementing IoT solutions the components are chosen for their low cost and specific capabilities; however, the capabilities are significantly below what might be justified when the assets protected are human life, and security costs may be a significant portion of the cost, or even greater than the cost of the components. Prevalent vulnerabilities, however, do not only facilitate malicious actions, they may also increase the likelihood and impact of human errors and system failures," the report warns.
It sets out a number of concerns about the use of IoT devices in healthcare including:
- The communication between smart devices and legacy systems can also create gaps and offer opportunities for malicious attackers to gain illegal access to systems and data. "The introduction of new components introduces a new attack surface," it warns.
- IoT devices dispersed widely across a hospital make it practically impossible to guarantee their physical security, leaving them open to the risk of being stolen or compromised, "more protection is needed," says the report.
- Because medical devices are built based on "intended use" cases, designers do not consider the risk of "unintended use" or "abuse" cases. "This posture leads to a number of systemic vulnerabilities and risks throughout the healthcare ecosystem," it said.
- Massive rollouts of standard IoT devices make it worthwhile to hackers to investigate viable attack paths. While device manufacturers and security companies need to remove all vulnerabilities, criminals only have to find one, it notes.
Lifespan is another issue: by the time a hospital manages to get IoT devices they may already be out of date. It takes almost three years from design to testing and production of a medical device like an MRI machine based on EU legislation, which means that IoT components are built on top of such devices could be antique before they are installed.
The report warns that IoT devices run embedded operating systems and applications with little if any malware detection or prevention capabilities. The small size and limited processing power of many connected devices often inhibits measures such as encryption or other robust security measures, and it is often impossible to reconfigure or upgrade devices.
There is often no clear way to alert the user when a security problem arises, which means an IoT security breach could persist for a long time before being detected and remediated.
"It has already been shown, however, that compromised medical devices acted as bridgeheads for further malware proliferation in hospitals. In healthcare this is especially important, because the traditional security mechanisms may "fail closed" by denying access - but that may put patient safety at risk more than "fail open" which grants full access."