ISE Emphasize Need For Improved Hospital Security Program To Avoid Attacks On Specific Targets
Home  |  Settings  |  Marketing Options  |  About Us  |  FAQs    Join SourceSecurity.com on LinkedIn
REGISTERTerms
Bringing the security industry into focus

ISE Emphasize Need For Improved Hospital Security Program To Avoid Attacks On Specific Targets

Michael Fickes
End User Correspondent, SourceSecurity.com US Edition
 
Comment Now!

Attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient

ISE’s research shows that healthcare facilities & hospitals security programs
to ward off determined attackers going after specific targets

A well-known security axiom posits that an effective security program can discourage would-be attackers, causing them to move on in search of softer targets. But it doesn’t always work that way.

Take healthcare facilities such as hospitals, for example. Prospective attackers with no particular target in mind may see a well-protected hospital facility and move on in search of another target, just as you would expect.

On the other hand, some healthcare attackers have specific targets in mind, and they will try to get at those targets using all of their digital cunning.

According to Geoff Gentry, Director of Healthcare with Independent Security Evaluators (ISE), a security-consulting firm, healthcare facilities and hospitals in particular lack security programmes that can ward off determined attackers going after specific targets.

Stealing Or Altering Medical Records

“An adversary targeting a specific facility will spend the time and resources necessary to ensuring a successful attack,” Gentry says. “Imagine, as a hypothetical example, a celebrity undergoing treatment in a hospital. Attackers might want to acquire and release the celebrity’s medical records — in order to embarrass him or her.

“They would break into the hospital information technology network and search for specific files. It is more difficult to discourage attackers with specific targets like this.”

Could attackers go after the celebrity patient as well, by corrupting the medical equipment and systems being used in a treatment program? “To our knowledge, no real-world attacks have been reported targeting patient health,” says “Securing Hospitals,” a two-year, research study conducted and financed solely by ISE.

However, the ISE study goes on to say: “Research has shown that medical devices are susceptible to compromise, such as pacemakers, and insulin pumps. Similar attacks have even been demonstrated on simulated patients in a laboratory setting. Though attacks against these systems have only been performed in a research setting, they demonstrate a grave problem. When these or similar attacks are finally exploited in the wild, lives will be lost. In 2015, attacks were documented using medical devices as the pivot onto the hospital’s production network.”

 

Physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorised people can enter the hospital
Attackers may aim to steal and expose a target’s medical records, or
even alter them to interfere with their treatment

The Vulnerability Of Specific Targets

“Securing Hospitals” also reports successful demonstration attacks by researchers in field settings that might have killed or at least harmed patients had malicious hackers been behind them.

In one case, for instance, attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient.

In another scenario, attackers manipulated the flow of medicine and blood samples, causing the delivery of the wrong medicines and dosages.

The booklet reports several other scenarios and notes that: “The examples listed above represent a small fraction of the attack scenario possibilities that could result in the injury or death of a hospital patient.”

What Can A Hospital Do?

Pointing to the results of the ISE study, Gentry recommends re-doing hospital security from scratch — starting by resetting priorities. “What is the worst thing that can happen in a breach?” he asks. “Patients can die. Patients are the real assets that need protecting.”

“Hospitals are inclined to focus on health records first, but the priorities should be patients first and then records. If you think first about securing the safety of patients, I think you will develop a better overall security program.”

When patient security comes first, continues Gentry, administrators tend to work on securing online medical devices, equipment and systems from digital attackers.

In addition, physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorized people can enter the hospital.

Once electronic and physical access can be controlled and managed, hospitals will be much more securely protected than they are today.

Michael Fickes
End User Correspondent, SourceSecurity.com US Edition

Download PDF Version

Follow us for latest editorial and commercial opportunities
People mentioned in this article

Geoff Gentry
Geoff Gentry


Please rate this article


Related videos
Bookmark and Share
Featured White Paper

The evolution of cards and credentials in physical access

Physical access control has been a key component of many organisations’ security strategies for several decades. Like any technology, access control has evolved over the years, and solutions now offer more security and convenience than ever before. From swipe technologies, such as the now antiquated magnetic stripe, to a variety of contactless technologies and mobile access credentials, businesses now have several choices when it comes to access control.

This White Paper will examine the technologies available today and the bright future of mobile access, as well as clarify why you should ensure that each component of the access control ecosystem is as secure as possible.


See privacy and cookie policy