Assassination by hacking medical devices, fomenting geopolitical instability by sabotaging infrastructure and stealing research, and holding patient data for ransomware are just some of the ways in which healthcare is vulnerable to cyber attacks.
Cyber attacks are on the rise across the board during the COVID-19 pandemic, and attacks on healthcare infrastructure by both state and non-state actors can be devastating to society.
When the Internet of Things (IoT) first made its way into healthcare, it promised better interoperability, flexibility, and convenience for patients and providers, but with it also came serious cybersecurity vulnerabilities.
“You no longer need to be MI6 and issued a Walther PPK in order to assassinate someone; you just need to gain access to the medical devices that are keeping that individual alive” — Richard Staynings
To provide better insights on healthcare IoT vulnerabilities, The Sociable caught up with three intelligence analysts and cybersecurity experts from threat intelligence consulting company Wembley Partners before they were to speak at the second annual Healthcare IoT (HIoT) Summit taking place virtually on Tuesday.
Here, cybersecurity digital warriors Richard Staynings, Martyn Gill, and an analyst who wished to remain anonymous following the publication of this article, break down how vulnerable the healthcare industry is to cyber attacks, what sorts of havoc hackers can wreak upon their victims, and who benefits from stolen COVID-19-related research.
Healthcare facilities themselves are vulnerable to cyber attacks that can manipulate or bring down critical life saving devices.
From a cybersecurity perspective, the healthcare industry is largely under-funded and constantly under attack, according to Staynings, who is the Chief Security Strategist at HIoT company Cylera and a board member of Wembley Partners.
“The network has grown from the citadel model of healthcare delivery 10 years ago to one of firewalls that are like Swiss cheese essentially, with the number of holes that are punched into them,” said Staynings.
And there are many insidious ways in which hackers can make Swiss cheese out of healthcare cybersecurity defenses, especially in the realm of IoT.
“We’re talking about cyber assassination” — Richard Staynings
For example, if a state-sponsored hackers or a criminal organization were to gain access to a medical device used by a high-profile target, the hackers could simply switch it off and assassinate their target, and Staynings provides many scenarios in which something like this could happen.
“We’re talking about cyber assassination. You no longer need to be MI6 and issued a Walther PPK in order to assassinate someone; you just need to gain access to the medical devices that are keeping that individual alive,” he said.
“What would happen if the airflow were to stop, or were to be reversed in a hospital emergency room or COVID ward, so that patients were spreading the disease throughout the building versus being evacuated out through the roof?
“What would happen if elevators stopped working because they were attacked and patients could no longer be moved from floor to floor?
“What would happen if there were a mass attack against a network connecting infusion pumps, or X-ray machines were compromised?” Staynings postulated.
As a real world example, former US Vice President Dick Cheney had the WiFi disabled on his pacemaker because he feared a terrorist attack on his life.
IoT-linked devices in hospitals and clinics are one area where cyber criminals can poke mortally-wounding holes in cybersecurity, with the results leading directly to patient death.
Attacks on healthcare infrastructure and stealing patient data
But according to the analyst who wished to remain anonymous, medical devices that are directly connected to the patient aren’t the only part of healthcare IoT that remain vulnerable to attack.
“It is a common misconception to consider healthcare IoT to be just healthcare devices like pacemakers and wearables, but inside hospitals we see all kinds of devices that are being affected by attacks,” said the analyst.
“We’re talking about network switches and printers that are not directly connected to patient health, but they’re still critical to the workflow of providing medical care.”
These types of disruptions can make patients miss their appointments, or put hospitals in a panic because they can’t access any of their data and operations are disrupted.
“Last year, 48% of all security breaches in Canada were in the healthcare industry,” explained the anonymous analyst, adding that the real victims are the patients.
Stolen patient information can be used for fraud, impersonation, or held for ransomware attacks, depending on the hacker’s motives.
Non-state healthcare IoT hackers are mostly motivated by money and are not out to physically harm patients, but rather steal their data for ransomware, because “health data can fetch a higher price than credit card numbers.”
“The primary reason healthcare is targeted is because a lot of healthcare information cannot be changed easily,” the analyst said, and it makes sense if you think about.
“This is more than just cybersecurity; it’s about ensuring that we as patients are not harmed or inadvertently put at risk due to a lack of security controls” — Richard Staynings
If your credit card information is hacked, you can cancel it and get a new number. It’s a bit more difficult when your medical records are hacked because you can’t really change the fact you have an allergy or have a certain blood type — that sort of information tends to stay constant over time.
Oftentimes, patients aren’t even aware that they’ve been compromised, and they are the ones that truly suffer from these attacks.
“There’s a lot of focus that needs to take place around cybersecurity in healthcare because there is a patient safety concern here,” Staynings added.
“This is more than just cybersecurity; it’s about ensuring that we as patients are not harmed or inadvertently put at risk due to a lack of security controls.”
But there are other nefarious motivations for hackers to exploit healthcare data, especially state-sponsored hacking of research related to COVID-19 with major geopolitical consequences.
Geopolitical motivations behind stealing COVID-19 research
State-sponsored hackers seek to cause market manipulation by targeting major healthcare organizations with a cyber attack, including intellectual property (IP) theft related to COVID-19 research.
You may be thinking, who cares if COVID-19 research is being stolen? Shouldn’t this research be shared with everybody anyway in order to eradicate the virus in the quickest way possible?
And the answer would be, yes, a solution could be developed more rapidly, but then whomever gets to it first will dictate and control the global market share, create a monopoly, and set international standards.
“Geopolitically, it gives the country who gets there first massive leverage in pushing just about any kind of agenda on other countries, considering that the crisis is global,” said the anonymous analyst.
“It virtually grants them early market entrance and essentially a monopoly in setting the prices, so there’s a massive financial benefit to that as well.
“And last but not least, there’s reputation. Needless to say, this would be a massive breakthrough, so whichever country gets there first, they will enjoy major benefits.”
Would you trust the Chinese Communist Party with your life or those of your loved ones?
Do you believe that after all pro-democracy crackdowns, all the reports on the mass imprisonment and sterilization of ethnic groups, and all the lies told in covering up responsibility for the pandemic, that the Chinese government would have your best interest at heart?
The slipperiness of trying to hold bad actors accountable
If we know that all this hacking is going on, and that it comprises national security, the economy, and the health of all citizens, is there any way we can hold bad actors accountable?
Nothing in the intelligence business is black and white.
“It’s so difficult to attribute attacks to a certain country. You see so many false flags” — Martyn Gill
It’s a bit like a Game of Thrones scenario where every faction has their own interests, and so they forge alliances here, conduct sabotage there, and all the while stage their next false flag scenarios.
“It’s so difficult to attribute attacks to a certain country. You see so many false flags,” Wembley Partners Managing Partner Martyn Gill told The Sociable in the same discussion with Staynings and the analyst.
“If you get it wrong, you’re going to get it really wrong if you point the finger at the international level” — Martyn Gill
He added that last year Russian actors used Iranian infrastructure to carry out an attack, so it looked like it was an Iranian state-sponsored attack, but in reality it was the Russians.
America’s own CIA is perfectly capable of these types of false flags, too, as documented by WikiLeaks back in 2017.
WikiLeaks’ release of Vault 7 “Marble” revealed that the CIA could cover its hacking tracks by implementing a secret anti-forensic malware named Marble that was capable of faking cyberattacks from other countries.
Gill iterated how difficult it was to filter through the noise and the false flags that “if you get it wrong, you’re going to get it really wrong if you point the finger at the international level.”
Gill and Staynings will share their knowledge and experience at the upcoming Healthcare IoT Summit.
The Healthcare IoT Summit
Taking place Tuesday, July 14 with limited virtual attendance, the second annual HIoT Summit is designed to foster care, collaboration, innovation, and safety for the future of patients and their medical devices.
“We have assembled the best minds in the space together to share their thoughts, and to offer their advice to attendees,” said Staynings.
“At the end of the day, healthcare is more than just a business. It’s about ensuring the safety and longevity of you, your family, and your friends.”
During the event, CIOs, CMIOs, CISOs, and experts from leading healthcare and security organizations will discuss:
- The latest in cyber threats facing healthcare providers
- Trends in balancing patient safety and digital risk
- How telehealth is changing the risk profile
- Best practices for medical device and IoT security
- Aligning business objectives to security maturity
At the end of the day, said the analyst, “It’s not just about cybersecurity, it’s about fighting the good fight.
“We’re very much looking forward to the conference and contributing to awareness on the topic.”
Editor’s Note, September 9, 2020: A previous version of this story included the name of a third analyst who was interviewed but later wished to remain anonymous following publication. All mentions of this person are now referred to as “the analyst.”