By ECRI
For the second year in a row, cyber threats top ECRI Institute’s annual Top 10 list of health technology hazards. Last year, the organization addressed the risks from ransomware and other malware, broadly examining the challenges that health care organizations face. For this year’s list, ECRI focused more narrowly on one key area of vulnerability: systems that allow remote access to a health care organization’s network.
Each year, ECRI Institute produces its “Top 10 Health Technology Hazards” report to help hospitals direct their time and energy toward technology management activities that can have the greatest impact on patient safety. The list identifies 10 topics that warrant priority attention. The accompanying report, available to the organization’s members, details practical steps that health care organizations can implement to reduce the risks.
It’s little surprise that cybersecurity remains at the top of the priority list for 2019. A successful attack can have far-reaching effects, potentially disrupting health care operations and putting patients at risk.
Remote Access: A Key Vulnerability
Many networked devices and systems incorporate remote access functionality. This capability allows off-site clinicians to access clinical data, for instance, and it allows vendors to troubleshoot systems installed at the facility. While intended for legitimate business needs such as these, remote access systems can instead be exploited for illegitimate purposes.
Hackers target unmaintained and vulnerable remote access systems to infiltrate an organization’s network. Once they gain access, attackers can move to other connected devices or systems, installing malware, stealing data or rendering it unusable, or hijacking computing resources for malicious purposes.
For instance, the SamSam hacking group has exploited remote desktop protocol (RDP) connections to gain entry into organizations’ networks for the purposes of spreading ransomware – malicious software programs that encrypt a system’s data, rendering it inaccessible and thereby crippling the system until a ransom is paid. Hospitals, EHR vendors and laboratory testing companies are among the many organizations that have been affected by such attacks. Published reports place the cumulative costs to affected organizations in the millions of dollars.
“Remote access hacks have increasingly become the attack vector of choice,” notes Chad Waters, senior cybersecurity engineer in ECRI Institute’s Health Devices Group, “but damage can extend well beyond the point of attack.” The infamous 2013 Target hack provides a case in point: Stolen credentials from an HVAC vendor reportedly provided the entry point for the attack that ultimately exposed the payment and personal information for millions of the retailer’s customers.
Failing to configure a network with proper security controls – such as the use of VLANs and network segregation, when appropriate – can leave remote access systems vulnerable to attack. Other risky practices include granting requestors a higher level of access than is required for the task to be performed, or neglecting to terminate the requestor’s access once the task is completed.
Cybersecurity as a Patient Safety Concern
“In the health care environment, cybersecurity threats are not just a business consideration, they are a critical patient safety concern,” stresses Juuso Leinonen, a senior project engineer in ECRI Institute’s Health Devices Group. “A successful attack can profoundly impact an organization’s ability to provide effective patient care.”
Indeed, the consequences of an attack can be widespread: Systems that administer patient care may become inoperative. Data dictating patient care may be altered or unavailable. Systems that support health care operations – such as financial, scheduling or communications systems – may be taken offline. All of these can affect an organization’s ability to deliver timely patient care, creating the potential for harm.
Additionally, protected health information (PHI) or other confidential data that is stored on an affected system could be accessed by, and potentially distributed to, unauthorized parties.
ECRI Institute’s Recommendation: Be Proactive
ECRI Institute recommends that organizations take the following steps to strengthen their defenses against remote access attacks:
Take inventory of all remote access systems deployed within your organization. Know which systems allow remote access, or that initiate remote access from the inside, and validate the business purpose for any remote connection.
Implement policies to approve and govern remote access. Select a limited number of standard remote access methods that will accommodate the majority of use cases. When the needs of a specific project cannot be addressed using one of the organization’s standard remote access options, audit the security of the proposed method and clearly document the internal and external stakeholders for the project, as well the maintenance plan.
Adhere to recommended cybersecurity practices. Examples include: keeping all remote access systems and all security infrastructure maintained and patched, logging all access and security events, deploying two-factor or multifactor authentication to protect against compromised passwords or brute-force attacks, isolating remotely accessible systems from the rest of the network, locking down outbound traffic on firewalls, and changing default passwords on vendor devices.
ECRI Institute’s full report details these and other protective measures.
“It’s vitally important that you identify, protect, and monitor all means of remote access,” advises Waters. “The bad guys are looking for your organization’s remote access vulnerabilities. You need to look for them too … and find them first.”
Stay tuned for the next issue of TechNation, where more hazards from the list are uncovered.
This article supplements ECRI Institute’s 2019 Top 10 Health Technology Hazards report. An Executive Brief of the report can be downloaded from ECRI Institute as a free public service. The full 2019 Top 10 Health Technology Hazards Solutions Kit, which includes detailed problem descriptions and recommendations for addressing the hazards, requires membership in ECRI Institute programs. For more information, visit www.ecri.org/2019Hazards, or contact ECRI Institute by telephone at (610) 825-6000, ext. 5891, or by e-mail at clientservices@ecri.org.