According to a recent report in TechCrunch, over one billion medical images from patients around the world — including CT scans, X-Rays, ultrasounds — are available online for download to anyone with “an internet connection and free-to-download software.” It’s a pretty jarring number and while it is sure to get people talking, the question is: will this revelation change anything?
More vulnerabilities are being found in in the healthcare space, and yet very little action seems to come as a result. It’s a damning indictment on the state of digital risk management in healthcare today, but the fact is that it’s not even surprising anymore.
While more than 50% of healthcare leaders report that “contending with fast evolving cyber threats” is the single greatest challenge facing the industry, 32% still admit to never auditing their medical devices for known vulnerabilities!
From top to bottom, security in the medical industry is treated as a secondary issue and not a primary concern. Medical device manufacturers, hospitals and regulators acknowledge the problem, and yet too few are proactively investing and taking the necessary steps to improve their cyber postures.
The medical community has seen the amount of patient data exposed nearly triple year-over-year for the past two years — going from 15 million breached patient records in 2018 to some 40 million in 2019: and the numbers show no signs of slowing down.
The Double Edge Sword
Even when the system works exactly as designed, every vulnerability disclosure is a double edged sword. While equipping device manufacturers and healthcare providers with the ability to patch their vulnerabilities and improve security, it also shines a spotlight on design flaws that can be exploited in the wild. That’s when everything goes to plan. Unfortunately, the real world is messy and things don’t always go as intended.
The point then is that the system designed to protect us is not in itself strong enough to “get the job done”. That will require a degree of proactivity and conscientiousness from all involved, and a commitment to the mission of hunting down and rooting out unnecessary security risks. So far that’s been far from the case.
Almost three years ago, the WannaCry ransomware attack knocked NHS computers offline, impacting patient care with 19,000 appointments cancelled and costing an estimated £92m to the NHS. Despite the aftereffects of the breach and numerous patching guides published, hundreds of thousands of devices remain vulnerable to the exploit.
According to a 2019 report, 71% of medical devices run on Microsoft legacy systems that were no longer supported as of January 14, 2020 and the security of these devices will be even more precarious than before.
Medical devices are still manufactured with generic passwords available in the manufacturer’s manual — often hard-coded and unchangeable by the user. At the same time, healthcare providers are still failing to act with the required alacrity to improve security protocols and update software. In fact, a recent CyberMDX survey found that less than 40% of hospitals install security updates as they’re issued. The rest continue to run deprecated and vulnerable software for extended periods of time.
How deep does the problem go? Well the TechCrunch article about the billion+ exposed medical images doesn’t pertain to a difficult-to-solve or hard-to-manage security issue, but a super simple and easy-to-avoid server misconfiguration.
What Will It Take to Create Change?
Given the state of security across the medical community, the threat of potential monetary fines or the PR impact doesn’t seem to motivate the industry at large to action. Those that have experienced a ransomware attack or have a vulnerability exposed in the media are shamed into patching their security, but this is hardly a good strategy for improving the situation on a meaningful scale.
While oversight bodies such as the United States’ Cybersecurity and Infrastructure Security Agency (CISA) work to bring greater awareness to the issue of digital vulnerabilities in public infrastructure and industrial control systems, there are limits to their influence and power. CISA is meant to encourage security research and coordinate the dissemination of vital cybersecurity information through its alert and advisory system, but the body lacks a strong enforcement mechanism to compel best efforts from device manufacturers.
As a result, even when the agency is engaged by a responsible party with important information about insecurely designed medical devices, the process of disclosing that information to the parties at risk can be needlessly dragged out and endlessly debated while, unbeknownst to them, patients may be placed in a state of persistent risk.
The FDA also has a role to play, but short of issuing wide scale recalls on account of cybersecurity issues — which seems a particularly remote and unnecessarily disruptive prospect — there is no reliable way to enforce cyber secure design and management of medical technologies.
The threat of steep financial penalties may offer the jumpstart the community needs. If a regulatory body had the capability to issue burdensome fines for security and management negligence, manufacturers and healthcare providers might finally forego finger pointing and buck passing to make much needed improvements to their own internal processes.
One thing is certain: if we don’t at least try to add some new and more powerful incentives to the equation, nothing will change soon. That is unless, left to its own devices (pun very much intended), the course of nature introduces its own corrective forces. But we’d be wise not to wait for that.
Already last year, a joint research paper out of Vanderbilt and University of Central Florida noted a 3.6% increase in cardiac event fatalities at hospitals that recently suffered cyber attacks. That means that, all other things being equal, for every 30 cardiac event patients admitted, statistically, one would die in an impacted hospital that would have survived elsewhere. Think about that for a moment. That’s where things stand today. How much worse does it need to get for us to begin acting responsibly?
If it’s not already abundantly clear that our lax attitudes to cybersecurity in hospitals amounts to a game of chicken, it will likely soon become clearer. The thing is we don’t actually need to wait for a soul shaking wakeup call just to wake up. We need to act now and we need to use all available instruments to compel others to act too.