Updated: Nov 14, 2019
Before analysing the cyber threats in healthcare, we need to clarify the notion of critical infrastructure. In the past the term “infrastructure” was related to nation’s public work but, with the advent of terrorism, there was a reshaping of the term, framing it in the context of homeland security.
We must go back to Clinton Administration in order to understand this framing. In 1996, former President Clinton signed executive order 13010 that defined infrastructure as:
“the framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defence and economic security of the United States, the smooth functioning of government at all levels, and society as a whole.”
In the list of the critical infrastructures given by the executive order 13010, it’s possible to find the healthcare industry. After the attack of 9/11, the Patriot Act gave a more clear-cut definition of critical infrastructure:
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
It is clear that hospitals’ infrastructures, at least in the American legislation, fall into the list of Critical National Infrastructure. But what makes them so critical? The “Sector Resilience Report” issued by the Department of Homeland Security stated that: “the sector has a critical role in preparedness and response for all hazards and is responsible for mitigating the physical and psychological health impacts associated with the incidents”.
The report cited cyber threats as one among many other risks for healthcare infrastructure. Indeed, it’s clear that cyber-attacks can easily put in severe difficulty the normal work-flow into a hospital. In the worst of the hypotheses, they can put people’s lives in danger. Cyber-attacks, obviously, are not the only threats to hospitals.
A satisfactory list of potential incumbent dangers over hospital infrastructure could be the following: physical attacks, natural hazards and public health emergencies.
Hospitals have high standard performances with technological advancements. They are doing so well that it’s possible to speak about “smart hospitals”. Massive use of advanced ICT profoundly ameliorated the healthcare services for patients, but it opened doors for malicious cyber attackers.
They can exploit the vulnerabilities of information system (IS) and deploy different types of attacks against healthcare organisations. Speaking about cyber threats against healthcare and medical devices, it is easy to think about the famous American TV show “Homeland”. In the episode “Broken Heart”, Brody was ordered by Abu Nazir to enter Vice-President Walden’s office and take the serial number of the VP’s pacemaker. Abu Nazir told Brody that he could use the serial number to manipulate the pacemaker wirelessly. Brody sent the serial number via message to Nazir and an associate of Nazir killed Walden, procuring him a heart-attack just by hacking the pacemaker.
Were the people worried about this possible scenario? In a poll conducted in 2016 by Black Book over a population of 12,090 Americans, 57% of the respondents were worried and sceptical about the utility of certain technologies in hospitals. Data hacking and lack of privacy, for instance, were top concerns. Consequently, lethal hacking of medical devices was not perceived as a concrete risk, because it never happened that in real-life a pacemaker got hacked.
Nevertheless, it doesn’t mean that this type of attack can’t happen. Indeed, this sector demonstrates to be uncommonly fragile against malicious attackers, due to its several and clear cyber deficiencies. It’s possible to get into the issue with the help of some statistics. It seems that cybercriminals don’t prefer anymore to target banking and financial institutions, turning out to healthcare organisations. IBM Cybersecurity Intelligence Index reported that only in 2015 there were at least 100 million EHR that got breached.
Five on eight of the biggest data breach since 2010 happened in 2015. A study of Solutionary showed that in 2016, 88% of ransomware in the US had healthcare as a target. A study conducted by Ponemon Institute stated that the estimated cost of the data breaches is around 6.2 billion. According to Trapx Lab, Banner Health had the biggest data breach that involved 3.7 million patients circa. One could notice that there are no statistics that refer to lethal medical devices’ hacking. Most of the attacks are ransomware or data theft.
The most notable example of attack against the healthcare industry is given by the WannaCry ransomware that paralyzed UK NHS services. Some hospitals got back to paper and pen for days, reducing healthcare services in certain zones of the country. Another major attack was suffered by the Presbyterian Hospital in Los Angeles, which was forced to pay a ransom in order to get back private health care data, stolen by cyber criminals. This is not fictitious, this is reality and it shows how the hospitals can be violated successfully by cyber-attacks.
The attacks didn’t endanger directly people’s life. Despite all, they are sending a clear red alarm: hospital infrastructure is fragile and can be hacked easily. What will happen when cyber-attackers will target a machine that keeps a specific person alive? Or an insulin pump? What will happen if an untargeted attack will hack all the insulin pumps into a hospital?
Is not a dystopian future, because there are clear pieces of evidence that this can really happen in the future. Researchers successfully hacked medical devices, panicking both industry and patients. The healthcare officials must understand that this issue can’t be faced only inside IT departments, but they need a holistic approach to tackle it. These are questioning that policymakers, both from national security department and healthcare, vendors and healthcare officials must ask themselves. They must acknowledge that they are not dealing with something impossible.
The more optimistic point of view, very naively, believes that criminals or terrorists can be stopped by some sort of ethical values. This could be a possibility, but it can’t be taken for granted. Joshua Corman, founder of “I am The Cavalry”, stated: “People who say 'oh but no one would ever do that' fail to understand that on the internet, every sociopath is your next door neighbour”. He added: "I am increasingly uncomfortable relying on the kindness of strangers everywhere on the planet." The danger is real and needs to be acknowledged and tackled.
© 2019 De Angelis & Associates.