ICS Security in Healthcare: Why Software Vulnerabilities Pose a Threat to Patient Safety

2 months ago 78

The deficiency of healthcare cybersecurity is 1 of the astir important threats to the sanctity of the planetary healthcare industry. This is made evident by the information that successful 2020 much than 18 cardinal diligent records were affected by palmy cyber-attacks connected the U.S. healthcare system.

Health professionals should not instrumentality this contented lightly, arsenic fiscal assets and intelligence spot are astatine risk. Additionally, IT professionals indispensable code healthcare information information issues, i.e., Electronic Health Records (EHRs), portion besides committing to helping patients flooded the aftermath of healthcare information breaches. In 2021 alone, much than 40 cardinal idiosyncratic records were breached, and these numbers are increasing.

Let’s spot however ICS security vulnerabilities tin endanger diligent and infirmary safety.

The Need for Industrial Control Systems (ICS) successful Healthcare Environments

Hospitals routinely woody with high-value delicate accusation from patients, doctors, diagnosticians, and different stakeholders. This includes assets with precocious monetary worth similar idiosyncratic individuality information, patient’s wellness information, slope accounts, and recognition paper numbers.

For our well-being, these systems and processes indispensable relation optimally astatine each times. However, if malicious actors entree our healthcare ecosystems, a batch could spell wrong, from compromised pacemakers and insulin pumps, to broad information breaches.

Any deficiency of aesculapian instrumentality security tin wreak havoc connected a healthcare organization. However, the menace often comes from within, successful the signifier of quality error, unplanned alterations, and outages, each of which tin beryllium dangerous. At the aforesaid time, defective bundle should besides get immoderate of the blame. Software vulnerabilities and faulty codification connected aesculapian devices tin endanger diligent information and cybersecurity.

This has led to a greater request for the implementation of Industrial Control System (ICS) information successful wellness care. While “ICS” is an umbrella word that brings to caput factories, and utilities, the ubiquity of these devices successful wellness attraction facilities raises the request for much information successful this area.

Strong ICS information for aesculapian devices would alteration wellness attraction providers to instrumentality antiaircraft measures to trim the hazard of exploitation. Best practices see minimizing the vulnerability of these devices to the network, isolating power systems wholly wherever possible, and utilizing VPNs for immoderate administrative tasks.

Prioritizing Patient Safety and Protection

Personal Health Information (PHI) is protected by The Health Insurance Portability and Accountability Act (HIPAA), which states that immoderate person’s past, present, and aboriginal accusation provided to a wellness attraction supplier indispensable beryllium collected, stored, shared, and maintained nether HIPAA conventions.

Hospitals request choky cybersecurity, arsenic the U.S. authorities has warned of caller malware attacks connected wellness attraction systems. These attacks are expanding astatine an alarming rate, and they airs a terrible menace to hospitals and patients by blocking entree to important aesculapian information. In Q3 of 2021, 68 ransomware attacks were carried retired against healthcare institutions.

Ransom groups people healthcare much often due to the fact that they judge that by attacking this industry, they tin get wealth rapidly owed to the urgent request for aesculapian information and the wide notoriety created by specified an attack.

Moreover, cybercriminals besides endanger to people oregon merchantability the information online, which is starring to much companies consenting to wage the ransom than ever before. Federal authorities are continually moving to amended the healthcare assemblage astir ransomware prevention.

Medical Device Misconfigurations – A Significant Threat to ICS

Ensuring the information of patients who usage aesculapian devices begins with plus management, i.e., registration of each aesculapian IoT devices successful a healthcare setting.

It is captious to recognize aesculapian IoT information configurations and immoderate vulnerabilities that whitethorn compromise diligent safety. Misconfigurations, erstwhile near unaddressed, tin pb to privateness breaches, particularly astatine nationalist database portals.  It is each the much important erstwhile you see that galore of these devices are old, outdated, and utilizing end-of-life operating systems. It tin get precise hard to update instrumentality configurations oregon use information patches.

Mobile devices person eased access and information sharing, but this has besides led to a greater hazard of privateness breaches, individuality theft, ransomware, and different cyber-attacks. Many healthcare institutes let login to portals from mobile devices. These mobile devices are not secured oregon bash not person immoderate information standards. Unsecured devices person precocious chances of ransomware, malware, and privateness breach attacks.

Systems that alteration aesculapian IoT instrumentality medication should beryllium protected with multi-factor authentication, and reliable authorization methods successful bid to summation access. 

It is besides important to enactment that hospitals worldwide usage aesculapian devices with the default passwords they came with. This is simply a wide invitation for an attacker to instrumentality power of devices and manipulate their behavior, putting diligent information astatine risk.

Additionally, galore of these connected aesculapian devices are near with SSH, FTP, and different modular absorption protocols open for anyone with the means to entree them. In fact, sometimes they are adjacent connected to the internet, unprotected and without immoderate firewall to halt access.

In galore cases downloading malicious applications and bundle from unverified and non-trusted sources is a large crushed for privateness breaches connected mobile devices. These attacks tin compromise the information of worker information wrong the aesculapian portal oregon application.

The Cost of Ignoring Cybersecurity for Hospitals

Over 600 ransomware attacks connected U.S. healthcare institutions outgo more than $21 billion successful 2021. Another report estimates the mean outgo of a healthcare cyber-attack astatine $6.45 million. Malicious attacks connected hospitals outgo $4.45 cardinal connected average.

Weak and outdated cybersecurity systems tin beryllium a superior crushed for specified breaches and fiscal losses. It is amended to put successful caller and much reliable exertion for cybersecurity than to suffer tons of wealth successful specified attacks.

Protect Your Hospital and Healthcare Institutions

Hospitals and aesculapian entities are precise charismatic targets for malicious actors and cyber attackers. It is indispensable to support these institutions’ delicate information against imaginable cyber risks.  An inability to instrumentality indispensable measures, and nonaccomplishment to unafraid infirmary and diligent information nether HIPAA tin effect successful penalties and ineligible enactment against liable persons and departments.

There is nary denying that the implementation of internet-connected aesculapian devices has been lightning fast, leaving nary clip for IT experts to automate the absorption oregon update processes of these devices.

It is imperative that healthcare work providers instrumentality their ICS information seriously, hole oregon update bundle arsenic necessary, and determination connected to existent astute devices. These practices tin assistance them negociate and mitigate hazard successful existing infrastructure to guarantee that diligent privateness and information goals are met.


About the Author: Isla Sibanda is an ethical hacker and cybersecurity specializer based retired of Pretoria. For implicit 12 years, she’s worked arsenic a cybersecurity expert and penetration investigating specializer for respective reputable companies – including Standard Bank Group, CipherWave, and Axxess.

Editor’s Note: The opinions expressed successful this impermanent writer nonfiction are solely those of the contributor, and bash not needfully bespeak those of Tripwire, Inc.

Read Entire Article