A new investigative report issued by TrapX Security joins a flood of recent news items highlighting the alarming gaps in cybersecurity at hospitals and other medical facilities. “Anatomy of an Attack - Medical Device Hijack 2,” a follow-up to a similarly titled release in 2015, details the efforts undertaken by cyber criminals to infiltrate digital records via complex but commonplace medical equipment.

Moshe Ben Simon, TrapX Security co-founder and vice president, notes the extent of the problem has only increased since the publication of the initial report. In a release, he says, “The onslaught of medical-device hijack attacks is accelerating, and it’s becoming increasingly more challenging for hospitals to detect and prevent them.” “Anatomy of an Attack - Medical Device Hijack 2” is available for download at the TrapX Security website.

To illustrate the growing dilemma, the report cites data from IBM that finds healthcare last year outpaced financial services and manufacturing to become the sector most frequently targeted by cyber criminals.

(Image source: IBM X-Force Research infographic)

In a somewhat surprising discovery, the TrapX Security report finds that one tactic used by cyber criminals involves the deployment of older forms of malware that became harmless to updated Windows software as vulnerabilities were shored up. Since the malware can’t wreak havoc in newer computers, the security software installed on them often doesn’t even detect the infiltration, effectively allowing the damaging digital intruder to pass through and seek out devices with dated operating systems. For example, in one of the case studies, the malware eventually took root in a radiation oncology system that still utilized Windows XP.  

The case studies included in the TrapX Security report focus on hospitals that take cybersecurity seriously, employing well-established best practice approaches and working hard to instill and maintain institutional cultures built on careful protection of digital information. Another study released almost concurrently provides a stark reminder that not every facility takes such care, largely because doing so can conflict with the primary healthcare mission.

Bearing the provocative title “Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?,” the work of researchers Ross Koppel, Sean Smith, Jim Blythe, and Vijay Kothrari finds a shockingly lax approach to the most basic tenets of cyber security.

In the report’s estimation, the problem is less a case of dueling priorities between technology officers and medical practitioners and more of a fundamental misunderstanding about the most basic needs of each area to do their job correctly. The authors note that those charged with maintaining the security of hospital systems “did not sufficiently consider the actual clinical workflow.” It further concedes that the problem goes both ways: “Equally important, circumvention of cybersecurity is seldom examined by those concerned with workflow, HIT usability, barriers to teamwork, thought-flow, or user frustration.”

The more layers of security are put into the equipment, the more likely medical personnel are to create workarounds that allow them to bypass steps. At the core, there’s a wholly understandable and even admirable reason for that: even apart from emergency situations, slowing down to follow cybersecurity protocols can have deadly consequences.

Besides challenging needed expediency, the protections built into technology in the average medical facility can trip up staff in other ways. One of the major and yet commonly overlooked issues identified in the “Workarounds” report is what it refers to as a “deauthentication problem.” If a user fails to properly log off a system when they’re done with it, private patient data can potentially be accessed. Perhaps more dire, the report provides the example of “physicians ordering medications for the wrong patient because a computer was left on and the doctors didn’t realize it was open for a different patient.”

If safeguards are put in place to force systems to close down after a certain amount of time, thereby preventing inadvertent open access, the solution can create new problems. In the report, one physician complains of a dictation system that automatically logged a user out after five minutes, requiring a re-authentication process to continue. The physician speculates that as much as 90 minutes of a 14-hour shift is devoted to grappling with this facet of the device. This is surely the sort of thing that contributes to physicians feeling increasingly burned out by all their required interactions with computers.

Computers aren’t departing the clinic anytime soon. And the surge in cyber attacks likely promises greater scrutiny of how medical facilities protect against them, especially since HIPAA regulations add a whole other level of concern, an aspect of the broader situation that legislators are just beginning to examine.

By one estimate, over 11,000,000 patient records were compromised in the month of June alone. There’s sure to be added pressure on organizations to shore up digital weaknesses in the wake of increasingly high-profile cases, such as the recently announced medical data breach impacting over 4,000 patients at Massachusetts General Hospital or the hacker who claims to have pilfered millions of records, subsequently offering them for sale online.

Beyond the PR nightmare, there’s a huge financial risk in allowing vulnerabilities to persist, as evidenced by the $650,000 settlement Catholic Health Care Services of the Archdiocese recently agreed to pay following the leak of a comparatively modest 412 sets of patient records.

Even though medical facilities must be cautious as they seek out and implement cybersecurity solutions, it undeniable that aggressive steps are required, from software bulwarks to smart internal policies. With every new headline recounting an attack on medical record, that need for action becomes yet more clear.