New Brunswick

Health care system a tempting target for cybercriminals

When it comes to cybersecurity, modern health care is in dire need of an emergency triage.

Health care system should examine itself for hackable components that endanger patients

Hackable medical devices include some pacemakers. (FlickrCC)

When it comes to cybersecurity, modern health care is in dire need of an emergency triage.

In the past year, the threats to hospitals, doctors' offices and other health-care services have ranged from cybercriminals holding patient records for ransom to malicious software crippling diagnostic equipment and cancelling surgeries.

We've also seen headlines about hackable medical devices, including insulin pumps and pacemakers, which could have fatal consequences.

It all adds up to a desperate need for more attention on protecting patients from digital diseases.

An unhealthy environment

To put things in context, five of the largest data breaches in health care occurred in 2015 alone, putting 100 million patient records in the U.S. at risk.

Last year, IBM published a report stating that health care had surpassed banks as the number one target for cybercriminals worldwide, a statement that has since been borne out in dozens of attacks around the world.

In May 2017, as a result of the WannaCry ransomware attack, the world experienced the worst yet attack on health care, when dozens of British hospitals lost access to patient records and critical diagnostic equipment such as X-rays and blood lab equipment was disabled.

Finally, the most disturbing recent trend in health care cybersecurity was the discovery of an advanced attack specifically targeting hospitals in Israel, which may have been the work of activists or a hostile government and offers a glimpse of the kind of attacks that countries may launch on each other.

Pushing our luck

So far Canada has been extraordinarily fortunate and hasn't had to deal with the attacks we've seen worldwide, but that has much more to do with luck than preparedness.  

A hospital in Ottawa had a small ransomware outbreak in 2016.

But it's also hard to tell the full extent of attacks against Canadian hospitals because unlike in the U.S., there aren't as many legal requirements to disclose attacks to the public.

There are several reasons why health care is a tempting cybercrime target.

First, health care in the U.S. and in many parts of the world has the most valuable client records.

Patient records in the U.S. contain not only medical information that a criminal can use for extortion or blackmail, but also detailed financial information.

Records susceptible to attack

Second, patient records — particularly for those patients in critical care — have minute-by-minute or hour-by-hour crucial information. Losing that data can put lives at risk.

This has made health care extraordinarily susceptible to so-called ransomware attacks because they can't afford to do real-time or hourly backup systems, and at best a daily backup system would still put lives at risk.

So hospitals hit with these attacks have largely been paying the ransoms, which has just fuelled more attacks.

Third, health care cybersecurity, on average, is abysmal.

For many health care systems, IT is seen at best as a cost centre, something to be managed extremely frugally so that more money can be spent on frontline services such as doctors or nurses.

Cybersecurity is often extremely underfunded, with some estimates placing the average health care cybersecurity spend at half of what the average spend is for all organizations, and given that they're the number one target, the numbers don't paint a rosy picture for future success.

The fact that Canadian healthcare records aren't tied to financial records may be one reason why we've been less of an attractive target than healthcare systems in other countries, but we'd be just as susceptible to extortion attempts.

Getting personal

Perhaps the most intimate and single greatest risk to individual patients is the ability to manipulate medical devices to cause harm. In the last few years, we've seen a growing threat and an inadequate response from governments.

Researchers have been warning us about hackable medical devices for years. It started with a famous U.S. hacker and security researcher named Barnaby Jack, who showed he could cause personal insulin pump implants to deliver fatal doses of drugs by hacking them wirelessly from up to 300 feet away.

A couple of years ago, a major medical device manufacturer was forced to put a recall out for another kind of IV-drug pump found in many ERs and patient rooms that could be hacked and have the doses changed if it was connected to a network.

Lives at risk

And last year the most significant risk yet was highlighted when security researchers showed some models of pacemakers made by St. Jude Medical, with home base stations connected to the internet to allow for data to be sent to hospital and doctors, could be hacked and put patients' lives at risk.

That case, which went public last summer, initially resulted in the company's denial of the risks, which by fall 2016 had been proven by independent researchers.

In January, the company put out a software patch for the devices, but in February the U.S. Food and Drug Administration warned the patches were inadequate. In a stern letter, it said the issues remained in April 2017.

Health Canada says it was made aware of the risks involving some St. Jude Medical devices that have internet connectivity and has been working with the manufacturer as it continues to release updates to patch its devices, including pacemakers.

The updates are expected to roll out over the rest of the year, meaning it will have taken more than a year to address the issues after they were first revealed.

Protecting health system and devices

The first thing we have to do is make sure our hospitals and health-care systems have the funding and resources to protect patient information and critical hospital systems.

But we also need ways to audit or verify the safety of those systems and high level results should be public.

I know some folks here in New Brunswick are working extremely hard to protect our  health-care system and they've made great strides.

Securing our hospitals and health-care IT systems properly is going to cost us more and we shouldn't begrudge that.

But given the importance of the system, our elected officials should be asked about how we're doing on health-care cybersecurity.

Securing our hospitals and health-care IT systems properly is going to cost us more and we shouldn't begrudge that spending or question why it isn't going to more doctors, nursing or health care professionals – yes, they're absolutely critical but this isn't an either/or issue.

It's both. We need these systems to help our medical professionals do their incredibly tough jobs and these systems need to be protected. We need our hospitals to be resilient.

The second thing we need to do is to have much better regulations and requirements on medical device cybersecurity.

Often, we rely too much on the U.S. Food and Drug Administration for leadership in this area – at our peril.

There are no hard rules and regulations specifically around medical device cybersecurity. Instead the FDA has "guidelines" that make three groups responsible for cybersecurity: manufacturers, hospitals that integrate these technologies and patients.

As with vehicle cyber safety, we need much more clarity about who in Canada is the lead for medical device cybersecurity, how manufacturers are going to be held accountable for making sure their devices are safe or correcting issues in a timely manner and what penalties they'll face if they fail to do so.

About the Author

David Shipley is the CEO and Co-Founder of Beauceron Security Inc., a New Brunswick-based cybersecurity software firm with clients across North America. David is a certified information security manager and frequently writes and speaks about cybersecurity issues across North America. Over the summer he is exploring a variety of cybersecurity issues in a weekly column for CBC Radio New Brunswick.