Can patients feel safe? IT systems in the healthcare sector as a target of attacks by cyber criminals.

The health service must immediately implement professional IT security solutions.

According to the current legal status, from August 1, 2017 (i.e. for a little more than a year), medical documentation will have to be kept only in an electronic company.

Although the date of entry into force of the provisions on electronic medical data of the "Act of April 28, 2011 on the information system in health care" has been postponed many times, and this may also be the case this time, we must take into account that this moment will inevitably is coming and will eventually come.

Undoubtedly, the implementation of the provisions of the Act and the ordinances of successive Health Ministers regarding electronic medical documentation imposes a gigantic and very responsible implementation task on the entire healthcare system. I really hope that the whole project will be successful. The consequence of launching electronic medical information systems will be increased requirements for the security of information systems in hospitals, clinics and other health care facilities.

There are several important places in medical information systems that can be vulnerable and vulnerable to cyber threats:

• Databases of personal data,
• Patient health databases,
• Life support systems and patient condition monitoring,
• HIS (Health Information Systems) in the medical and administrative part,
• Medical equipment,
• Other systems that may affect the implementation of key processes.

In January 2016, a spokesman for the Hospital in Ottawa reported that 4 of the nearly 10,000 computers in the hospital were attacked with software ransomware. This type of malware, after clicking on an attachment in an email, a link in an email or on a website, blocks files on the infected computer. After paying the ransom, the attack victim receives a key that enables the reopening of encrypted files. In the case of this attack, the hospital did not pay the ransom, and IT services wiped the contents of the disks and restored the data using backups. The hospital said the patient's data was not at risk.

However, it is not always possible to follow such a procedure.

Some systems at the Hollywood Presbyterian Medical Center in Los Angeles were attacked on February 5, 2016. Allen Stefanek, director of the hospital, announced that cyber criminals had been paid a ransom of $ 17,000 (NBC 4 reported a ransom of $ 3.7 million) because it was "the fastest and most effective way" to regain access to data. The result of the attack was the lack of access to hospital databases and complete paralysis of electronic communication between doctors and medical staff, which forced the use of traditional methods such as handwritten documents and telephones in the process of patient service. Doctors in the 434 bed neonatology unit sent imaging data and patient cards via fax. The emergency room was paralyzed and 911 patients had to be served in other hospitals.

The investigating police and the FBI said the perpetrators of the attack were intensively sought and that there was no evidence of a medical leak.

Similar problems, also in February 2016, had one of the best clinics in Germany, Lukas Hospital in Neuss (North Rhine-Westphalia). The attack made it necessary to postpone 20% scheduled operations and perform life-saving procedures in other hospitals.

According to the portal wired.com many medical devices are vulnerable to hacking attacks. Among them, there are also those whose malfunction may lead to the death of the patient. The list includes pacemakers, insulin pumps, drug dispensers, X-rays, tomographs, blood coolers, and more. Here are some examples.

The Hospira LifeCare Drug Infusion Pump drug dispenser allows unauthorized access and thus changes in the doses of administered drugs, and even the administration of a lethal dose of the drug. There are 400,000 devices of this manufacturer in the world.

 

The Medtronic Paradigm 512, 522, 712, 722 insulin pump uses unencrypted commands for control. For this reason, it is possible to send unauthorized commands to the device and thus change the doses of the administered hormone, including the lethal dose.

 

Implantable Carioverter Defibrilator (ICD) is a device implanted in the patient's body, which, after detecting signs of impending cardiac arrest, generates a shock that restores its proper functioning. Many of these devices have a Bluetooth interface that is used for calibration and testing immediately after implantation into the patient. Access to the ICD is secured with a simple password that a hacker can guess relatively quickly. After establishing access to the device, it is possible to generate unwanted discharges and disturb the heartbeat.

 

Modern x-ray devices are equipped with their own disk space for storing image data. Access to them requires entering a password, and additionally, it is registered each time - who and when viewed individual photos. However, testers found that in many cases photos are backed up to protect data. Access to backups is no longer authenticated and individual accesses are not logged.

 

Blood coolers are devices designed to store blood in the right conditions. For this reason, they are equipped with monitoring systems that allow you to notify via e-mail or SMS about deviations from the programmed temperature. Via the built-in web interface, it is possible to read various device parameters and also change them. Unfortunately, some of these devices have permanently entered default passwords, which allows unauthorized access. Thanks to this, it is possible to change the temperature setpoint and turn off the notification system about improper temperature inside the device.

 

Some CT (computed tomography) devices are vulnerable to hacker attacks consisting in modifying their configuration files. Thanks to this, it is possible to change the patient's exposure parameters during the test. This allows, among other things, to change the power and duration of irradiation with the X-ray beam. As modern tomographs perform up to 2,000,000 projections, this may have a significant impact on the patient's health.

Some of the vulnerabilities result from errors in the device software, others prosaically from leaving default passwords available on the Internet by administrators. It is worth adding that due to errors in the LAN network configuration and the contact with the Internet, some medical devices are even visible outside the hospital's internal network, i.e. for every Internet user in the world.

Due to the complexity of the treatment process and other processes carried out in health care, the importance of IT solutions in medicine will surely increase systematically. For this reason, professional information security solutions should be implemented immediately.

Among the elements of IT systems that should be given special attention, I would mention:

• Data processing centers,
• Computer networks and contact with the Internet,
• HIS systems,
• E-mail and access to Internet resources,
• User computers and mobile devices (tablets, smartphones),
• Medical equipment,
• Monitoring and access control systems.

The specific actions to be taken are:

• BIA analysis (Business Impact Analisys), i.e. the study of the impact of various types of disruptions on key processes,
• Periodic security audits and penetration tests,
• Implementation of post-audit recommendations,
• Implementation and supervision of the security policy,
• Implementation and supervision of routine safety-related activities.

All the above-mentioned activities may be performed by hospital IT staff, specialized organizational units or external companies under outsourcing agreements. In the current reality of health care, taking into account the effectiveness of operations and current operating costs, a reasonable and quick-effective option is the use of specialist external companies.

More information on IT security issues can be found at our website. We also invite you to read the information about the service we offer Security Operations Center.