security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have—especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.9 That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.10 The potential for vulnerabilities is extremely high. In many cases internet-connected medical devices run on Windows XP, which is no longer supported. There continues to be new vulnerabilities found—many of which allow complete compromise of the whole system. Associated with a compromised system is a whole host of risks, including everything from the system not functioning to data being exfiltrated. Either way, these are risks to both patients and to hospitals.
Now let us think about connectivity. Today's world is also much more connected than ever before. Many systems connect back to something referred to as “the cloud.” While I will go into greater depth in later chapters about the cloud, it should be noted here that the cloud aggregates and correlates data in one location. It also comes with a whole new set of risks that adds an extra layer of complexity for IT and cybersecurity teams.
Let's take a ransom in another direction—from a personal perspective. If you had a pacemaker, what would you be willing to pay to save your own life if someone threatened you with turning off the pacemaker? If attackers do not care about the lives of multiple people, they will not care about the life of one person. Attackers typically go for the easiest targets that offer the most reward. If they started targeting the rich who had internet-connected medical implants, that could be a lucrative route going forward. Of course this is not as lucrative as having a hospital pay a ransom.
Risks to Data
What does not often come to mind is the data risk related to internet-connected medical devices. Data can be as potentially deadly a risk as any device. An insulin pump that received the wrong amount of information can potentially kill someone with diabetes. A number of events can cause errors—everything from human error to machine flaws. This too deserves a much deeper dive as the data is far more interconnected than at any point in history, and that interconnection is only going to accelerate with the advent of new internet-connected medical devices.
Some risks are due to existing flaws in medical devices combined with the desire for people to have a better quality of life. For example, diabetics have hacked their own pumps to achieve innovation the manufacturers have not. While many of the devices have been recalled, people have been hurt by insulin overdoses as a result of hacking their own devices.11 Keep in mind that this was with commercial-grade systems that were attacked. These are not systems purchased off the black market.
Not everyone opts for commercially viable solutions. The cost associated with some of these solutions is too high for many to afford. As a result, they go through alternative sources that may not have the strict quality control that the commercial world has. In some cases, unknowingly, people will work with devices that are actually from the black market, such as insulin pumps that may be even less secure because they are not subject to the stronger regulation that exists today.12
While ransomware is taking the spotlight as of late, a host of other attacks are related to internet-connected medical devices. These will be described in greater detail in Chapter 8, but suffice it to say that numerous attacks can be leveraged, many of which could be avoided with sufficient cybersecurity practices. In many of these attacks, the attacker could have complete control of the data on the device. A few of the attacks against connected medical devices are listed in Figure 1-1, but this is far from a complete list. The lesson here is that quite often the vulnerabilities that can physically harm someone can also be leveraged to steal data. Data theft, by far, is much more common than the physical harm that could occur as a result of the internet connection. The stark difference is that the harm of data theft may or may not be known.
Figure 1-1: Example types of attacks against internet-connected medical devices
The vulnerabilities related to internet-connected medical devices are having an impact on organizations, and these weaknesses are not just trivialities. Nuspire, a managed security services provider, put out a few interesting statistics. The first statistic is that “18% of medical devices were affected by malware or ransomware in the last 18 months.”13 That is not a small number. Roughly 1 out of 5 devices have been affected by malware. If there is an average of 15 devices around a patient, roughly 3 of them have the possibility of being infected. Further, that malware can often be used to infect other devices. The other statistic that Nuspire mentioned was that “89% of health care organizations have suffered from an IoMT Related Security Breach.” IoMT is short for internet of medical things. For our purposes, think of IoMT as internet-connected medical devices. That alone is another concerning statistic. It means that the connected medical devices are a serious concern for healthcare organizations. It makes protecting these critical organizations all the more difficult.
If risks to human life are on one end of the spectrum, the other end of the spectrum relates to data risks. Healthcare data is one of the most sought-after data types on the internet. Security reports over the years have shown the value of a healthcare record to be worth anywhere from $10 to $1,000. By contrast, the typical credit card is worth only a few dollars. The reason is that most credit card companies have robust fraud departments that stop fraudulent transactions relatively quickly. After one or more transactions, the card is usually cut off. This is not typically true for health records. The process of detecting problems can take much more time.
From a patient perspective, the associated fraud can be a painful and lengthy road to deal with. Advisory Board, a leader in the healthcare advisory space, had an article that illustrated this quite clearly. A patient's identity was stolen, and the result was $20,000 worth of medical procedures that the victim was responsible for. It kept up over billing cycles, and the perpetrator was eventually caught and jailed, but there are still serious questions about the integrity of the victim's medical files.14 Imagine what that can do to the victim. There may be conflicting information about the health information contained in many hospital records. In a worst-case scenario, this can be life threatening.
From a hospital's perspective, it means that they can lose a great deal, too. They can perform procedures essentially for free because they performed surgery on a misauthorized individual. The victims also have a great deal to do because they have to work through the fraud with the hospitals and the insurance companies—at no fault of their own. Health and Human Services, in conjunction with the Office of the Inspector General, put out a report citing they won or negotiated $2.6 billion dollars in fraud adjustments in 2019. There were 1,060 new criminal investigations in 2019.15 Undoubtedly the numbers are much higher if you consider the cases that were thrown out or were never detected. It takes constant vigilance to detect fraud cases.
The protection of the data related to medical records is absolutely critical. We have only touched the tip of the iceberg
