Security experts have billed 2015 as the “year of the health care hack” with increasing numbers of medical systems being attacked by cybercriminals targeting valuable personal data. While cybersecurity is commonly associated with software attacks, the health care sector is finding that the hardware it’s employing to improve patient care is creating backdoors for the criminal element.
The 2014 report “Will healthcare be the next retail?” by Bitsight found that health care and pharmaceutical companies have the worst cybersecurity record among the Standard & Poor’s 500 and are at risk of high-scale breaches.
Cybercriminals tend to fall into three core groups; those who are in it to make money by either selling data or blackmailing companies for its return, people in it for the fame, or those who are in it for political reasons. Whatever the motivations, the cost of cybercrime is growing.
Leaving the Back Door Open
Medical equipment has taken an evolutionary leap in recent years to take advantage of digital age developments. Devices are no longer chained to hospital beds; they can move around a facility, follow a patient home, or even be implanted in a person. Developing equipment to include computer chips, software, wireless technology, and Internet connectivity creates a portal for those wishing to cause trouble.
With the rise of the Internet of Things (IoT), medical devices are “connected,” and not just to the Internet. They are often connected right into a health care provider’s network, establishing a pathway to data that seems otherwise protected.
Medical devices are a stepping stone to access health care networks, and a recent report by TrapX revealed three stand-out cases where hospitals were hit by data breaches after medical equipment was infected with malware backdoors, with the malware subsequently moving laterally to infect other areas of the network. TrapX found ransomware, as well as programs like Zeus, Citadel and Conficker on devices that the hospitals had no idea was present.
At the end of 2014, the U.S. Department of Homeland Security launched an investigation into numerous cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials feared could be exploited by hackers. Equipment under review included infusion pumps and implantable heart devices, the kinds of devices that leave patients at risk of harm if compromised.
The 2015 hacker conference DerbyCon flagged the severity of the situation. It was revealed that there had been 68,000 attempts at hacking critical medical devices, such as MRI scanners, over a six-month period. Fortunately, these were fake devices or “honeypots” set up to lure in malicious hackers. This shows the importance of addressing cybersecurity flaws, particularly in devices that leave patients at risk of harm if compromised.
Time to Improve
In the fight to close the backdoor, every measure must be taken to secure the hardware. The U.S. Food and Drug Administration (FDA) has pushed for improved cybersecurity when it issued guidelines aimed at helping medical device manufacturers manage cybersecurity risks as well as “maintain medical device functionality and safety.”
Research by the FDA has also shown that “as patients move to the use of home health care services for recuperation or long-term care, the medical devices necessary for their care have followed them. In 2004, the National Association for Home Care & Hospice reported that more than 7 million people in the United States receive home health care annually.”
To support these goals and ensure cybersecurity, even the battery technology used in medical equipment needs to be taken into consideration.
Powering Security
A lack of hardware-based encryption is causing widespread concern about medical equipment and about the reliability of batteries used in such equipment. Portable medical devices have to be designed to operate without mains electricity/AC power, and so the use of reliable and safe backup-power management systems is a necessity. Devices such as acute ventilators, portable anesthesia workstations and digital radiography panels all need continuous and safe power to protect patient health.
Battery counterfeiting is a problem faced by the medical industry on a scale never before witnessed in the sector. Accutronics has worked hard to tackle this problem, developing the CMX series of smart batteries and chargers. The new range incorporates some innovative features, including SHA-1 hardware encryption.
SHA-1 (secure hash algorithm) is a cryptographic hash function designed by the U.S. National Security Agency (NSA). The algorithm is flashed onto the smart battery’s fuel gauge before being sealed in during production. At the same time a software update is made on the host medical device. Upon insertion, the battery is challenged to complete a calculation within 100ms, if it matches with the one performed by the host device, it’s genuine, otherwise it’s fake and can be rejected.
It’s time to lock the gate and shut cybercriminals out of medical devices by building cybersecurity and encryption into the equipment. Doing this means thinking of every part of the machine, even something as seemingly insignificant as the battery.
Building encryption into the hardware itself will provide the first line of defense against those who would use medical devices to cause trouble, reducing the threat to life and reducing the potentially massive costs of leaving the backdoor unguarded.
Neil Oliver is the technical marketing manager at professional battery manufacturer Accutronics. He has worked in the battery industry for 24 years, providing him with extensive experience and technical knowledge.