Do No Harm. Matthew Webster
but as adoption of internet-connected medical devices continues to rise, so will the associated risks. If COVID-19 has taught us one thing, it is that tragedy for some is an opportunity for others. From a cybersecurity perspective, it is important to understand who these actors are, what they are motivated by, and how can we stop, or at least reduce, the number and/or effectiveness of these attacks.
Before we can do this, it is extremely helpful to understand why poor security on internet-connected medical devices is such a challenge for IT and cybersecurity practitioners and why the devices have so many challenges to begin with. Looking at poor security as an origin story provides us with the context for understanding how to proceed. The world of IT, and especially internet-connected medical devices, is filled with a complex interrelation of social, technological, and economic challenges. It is important to understand this complex relationship if we are to devise a strategy for best protecting the devices, our hospitals, and the associated data.
As you read this first part of this book, keep the bigger picture in your head in order to more fully understand how we ended up where we are today. We have legal requirements that are not always followed by manufacturers, which creates both challenges and victories for protecting our healthcare, our data, and occasionally our lives.
CHAPTER 1 The Darker Side of High Demand
The road to Hell is paved with good intentions.
—Henry G. Bohn, A Handbook of Proverbs, 1855
“First, do no harm” is attributed to the ancient Greek physician Hippocrates. It is part of the Hippocratic oath. The reality is that every day, doctors and hospitals need to make decisions about how to best help patients under the existing conditions. If doctors need to operate, they may harm the patient by making an incision—sometimes to save a patient's life. This is a calculated and acceptable harm from a moral perspective.
What isn't always as obvious to hospitals is the harm introduced by using an internet-connected medical device. In many cases, such as in hospitals, the doctors may have limited input about which devices are chosen for their environment. These devices have critical medical value not only for the hospital or doctor's office, but also from the patient's point of view. They are at the forefront of today's medical transformations. Often the harm that is introduced is unknown, unseen, or downplayed—if it is assessed at all.
This chapter explores, at a high level, the state of internet-connected medical devices and how those devices are impacting hospitals and unfortunately, and indirectly, human life. More importantly, this chapter covers the overall trends related to hospitals, partially as a result of internet-connected medical devices and how businesses evolved to the state they are in today. First, we need to understand the risks that internet-connected medical devices pose.
Connected Medical Device Risks
What exactly are the risks related to internet-connected medical devices? The hit TV show Homeland popularized the idea of an attacker assassinating someone by taking over a pacemaker. While this is not beyond the realm of possibility, the most common forms of attack utilizing internet-connected medical devices are ransomware and distributed denial of service attacks (DDOS).1 In the former case, the attacker takes over a system (often with malware, but sometimes with a password) and prevents (often through the use of encryption) the end user from using the system. In latter case, the attacker will own the device and use it to attack other sites.
Ransomware
Ransomware is essentially software that prevents systems from running. Criminals require that the owners pay to be able to gain access to their own systems. Imagine you had pictures of your family on your home computer and you could no longer access them unless you paid a fee. Now imagine critical medical systems rendered inoperable instead of family pictures. To make matters worse, once attackers are inside of systems, they often leave behind a way to gain access to them over and over again—meaning they are more susceptible to future attacks. This trend has only increased in the time of COVID. Obviously, the attackers do not care about the lives of others enough to not do the attacks.
Ransomware has been evolving tremendously over the last few years, and the number of the ransom demands has gone up significantly from a few years ago. In 2019 alone, 764 healthcare providers in the United States were hit with ransomware.2 One might be tempted to think that the attackers would not go after hospitals in a time of a global pandemic, but while this is the case for some attackers, the reality is that ransomware attacks are on the rise since COVID-19 hit.3 What is worse is that while ransom demands used to be a few hundred dollars, now they are growing and are often more than a million dollars. With so much to gain, it is no wonder that ransomware demands are on the rise. Clearly, hospitals have a great deal of risk related to ransomware.
The effect that ransomware has had on hospitals is crippling. The attackers are well aware that COVID-19 has severely stretched the resources at hospitals. They know that this is a life-and-death situation, which makes hospitals even more likely to pay the ransom,4 especially the smaller hospitals that may not have as mature of an IT and/or security program in place to protect their environments from the ravages of ransomware.5 Essentially, they are easier targets. Sadly, even larger, more mature organizations are susceptible to ransomware attacks, but can sometimes respond to them more effectively.
September 10, 2020, unfortunately marks a grim milestone for ransomware—the first indirect death. A patient was rerouted from Duesseldorf University Hospital in Germany as 30 of its internal servers were hit with ransomware. As a result of the subsequent delay getting the much needed medical treatment, the patient died.6 This particular attack was aimed at Heinrich Heine University and mistakenly hit the hospital because it is part of the same network. In this case, the perpetrators provided the keys to decrypt the systems and withdrew their extortion demands, but despite that, the hospital's systems were disrupted for a week.7
That was not the only death associated with ransomware in September 2020, unfortunately. Universal Health Services (UHS) was hit with a massive ransomware attack. UHS is a Fortune 500 company with more than 400 healthcare facilities in the U.S. and the UK. It provides services to more than 3 million patients yearly. In many cases whole hospitals were shut down and services were rerouted to other hospitals. Because of this rerouting of services, four people died.8 With the frequency of ransomware growing, these kinds of problems will not only continue, but will likely become worse before they get better.
It is important to note that medical devices are not the only avenue for ransomware attacks, but they are, arguably, the most egregious vector due to the gaps in their fundamental security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have—especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.9 That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.10 The potential for vulnerabilities is extremely high. In many cases internet-connected medical