Hospitals must take steps to significantly bolster their cyber defenses as insufficiently-protected interconnected medical devices expose them to unrelenting attacks amid the pandemic, an executive from Israel's Check Point cybersecurity company said Thursday.
In his speech at a CybertechLive event titled Cybersecurity for the Healthcare Sector, Itzik Feiglevitch, who is in charge of IoT cybersecurity solutions, said the significant vulnerabilities could even put lives at risk. Check Point was a sponsor of the online conference.
"Those devices are highly vulnerable devices. Those devices are very easy to hack into. And those devices create a huge attack surface for cyber criminals to come and to hack into the hospitals' networks," he said. "A successful cyberattack against a hospital can even kill someone. We're talking about a highly vulnerable environment."
A major issue with the devices is that many run outdated software and legacy operating systems. Feiglevitch said some have had the same operating system for 15 years or even 20 years. "I've personally seen a device in one of the hospitals that still runs Windows 95," he said.
However, there can be many limitations that prevent those issues from being fixed. For example, the Check Point executive said, the software inside those devices cannot be changed; they need to function 24/7; every change requires a long, complicated and expensive medical recertification process; and many of the devices are unmanaged, meaning that even though they are connected to the network, hospitals don't have any way to control them, view them or set a policy for them.
In addition, Feiglevitch noted that hospitals are faced with complex networks, insufficient cyber threat awareness among medical teams, and a large number of visitors who can walk freely through the facilities and possibly access the different devices.
"But probably the most disturbing thing is that the hospital environment is very attractive for cyber criminals. And this is because, first of all, it is quite easy to hack into the hospital network. And once you're inside, you have a great opportunity to gain significant profit. And you can get this profit from ransomware attacks and by stealing medical records," he pointed out.
It is estimated that more than two-thirds of the health care providers in the US are exposed to ransomware attacks every year. In the US, according to the executive, more than 35 data breaches are reported every month among health care providers. Feiglevitch said "medical records are worth a fortune in the dark web. The average cost, the average price for medical records is $250. And of course you can find complete databases with thousands and tens of thousands of records."
To demonstrate the vulnerabilities of connected devices, he gave the example of an ultrasound machine that was brought to Check Point's labs in order to try to hack into it. Due to the machine's outdated operating system, Windows 2000 with no security patches, it only took Check Point's staff a few minutes to hack into it. They managed to not only get access to medical records inside the hard disk but also to traffic from the machine to the server, he said.
But according to Feiglevitch, despite the cyber risks, simply replacing such a machine is not an option for many hospitals due to budget and operational considerations. As long as the machine works well, many would prefer to keep to keep using it.
The executive also mentioned an infusion pump that, one of Check Point's partners discovered, can be hacked into and manipulated remotely to change the dose being injected into the patient. "The monitor of the infusion pump will show that everything is normal. So think about it. You actually can kill someone by doing so," he said.
When Check Point set up a team to find a solution for such vulnerabilities in interconnected medical devices, its first goal was to prevent unauthorized access and malicious intent from reaching the devices, Feiglevitch said. "In simple words, if someone tries to communicate with the medical device but he is not authorized, we should block this communication. If he's trying to communicate with the device using the wrong protocol or the wrong application, we should block this communication. And if malicious traffic tries to reach a medical device, we should block it before it reaches the device itself."
The team's second goal was to identify any infected devices among the huge number of connected medical devices inside the networks, and isolate them so they do not compromise others, he said.
Thus, according to Feiglevitch, Check Point developed a solution that consists of three components: a discovery engine that monitors all hospital network traffic and identifies and classifies all the devices; the utilization of Check Point's security management system to specify exactly what the devices can and cannot do within the network, based on each device's attributes; and enforcement of the policy in the network using security gateways, preventing malicious traffic from entering the network, preventing lateral movement between the different devices, and providing extra protection to devices at high risk.