IoT devices make our lives easier. For example, smart home technologies can optimise energy consumption conveniently by allowing us to turn household appliances on and off with a touchscreen or remotely with our smartphones.
Likewise, organisations across all industries have also rapidly adopted IoT to improve operational efficiency. However, IoT devices can be one of the weakest links in an IT network.
The healthcare industry is one industry that has moved towards the Internet of Medical Things (IoMT) in a big way.
By some estimates, 87% of healthcare organisations will have adopted IoMT by the end of 2019 and there will be almost 650 million IoMT devices in use by 2020.
Take Ultrasound machines for example. Ultrasound technology has made huge advancements over recent years to provide patients and doctors alike with detailed and potentially lifesaving information. Unfortunately, these advancements have not moved in tandem with IT security in which these machines sit, are now connected to and transfer images within.
Check Point Research recently highlighted the dangers this could pose by getting their hands on an ultrasound machine and investigating what takes place under the hood. They discovered the machine’s operating system was Windows 2000, a platform that, like most other IoMT devices, no longer receives patches or updates and thus leaves the entire ultrasound machine and the information it captures vulnerable to attack.
Due to old and well-known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images.
The Financial Motivation for an Attack
Cyber-attacks on hospitals occur on an almost weekly basis. One example is that of a ransomware attack on the Melbourne Heart Group which saw the hospital’s data scrambled by hackers and held to ransom. Other significant attacks seen include Singapore’s SingHealth which suffered a massive data breach that saw the Prime Minister’s health records stolen followed by 1.4 million patient records stolen from UnityPoint a few weeks later. In addition, May 2017 saw the massively disruptive WannaCry attack that caused 20,000 appointments in the UK’s NHS to be cancelled and over £150 million spent on remedying the attack. Interestingly, it was unpatched Windows systems that lead to such damage.
However, it is primarily not mass disruption that motivates cybercriminals to target the healthcare industry. Due to the vast amounts of personal information that hospitals and other healthcare organisations store and transfer electronically, these institutions make for attractive targets to attack. This valuable data can be used to obtain expensive medical services and prescription medications, as well as to fraudulently acquire government health benefits. It is no wonder then that this information can fetch as high as US$60 per record on the Dark Web.
Although there is numerous media mention describing the personal danger of cyber-attacks to patients, the financial damage is far more realistic and is what lies at the heart of cyber-attacks on the healthcare industry.
According to the Ponemon’s Cost of Data Breach Study, at US$408 per health record, the healthcare sector demands the highest cost by far to remedy a data breach. This stands in contrast to the average of US$225 per record paid by other organisations. These costs include fees to investigate and repair the damage caused by an attack as well as paying fines or ransoms or any stolen funds themselves. Attacks can also result in a loss of patient records and information as well as cause long-lasting damage to the health institution’s reputation.
The risk of a cyber-attack on healthcare organisations is huge.
