Is Your MRI Machine a Hacking Conduit?

Information technology hackers aren’t just attacking websites and networks anymore, they increasingly are attacking the “Internet of Things,” which are devices linked to the Internet, such as a MRI diagnostic imaging machine in a hospital.

In a new health care cyberthreat report from SANS Institute, which offers cybersecurity training, certification and research, the organization predicts that the health care and pharmaceutical sectors will be among the industries experiencing the highest level of attacks involving “things.” Compared to traditional I.T. systems, “incidents involving things,” such as a hacked MRI machine, “can carry physical consequences as well as policy and financial impacts,” according to the firm. “Virtually all software, applications, systems and devices are now connected to the Internet. This is a reality that cybercriminals recognize and are actively exploiting.”

SANS notes that research by Ponemon Institute shows that 94 percent of surveyed medical institutions have suffered a cyber attack. “Now, with the push to digitize all health records, the emergence of and an outpouring of electronic protected health information being exchanged online, even more attack surfaces are being exposed in the health care field,” according to the SANS report.

Alarming Results

Using threat intelligence from cybersecurity firm Norse Corp. in St. Louis, which collects and analyzes real-time, high-risk Internet traffic, SANS found that medical devices, conferencing systems, Web servers, printers and even security systems such as cameras in health care facilities are being exploited by hackers. “The data analyzed was alarming,” report authors contend. “It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.”

The Norse intelligence data that SANS analyzed was collected between September 2012 and October 2013. It covered large and small provider organizations, business associates, claims clearinghouses, insurance companies and pharmaceutical firms. The sample data found 49,917 unique malicious events, 723 unique malicious source IP addresses and 375 compromised health care organizations based in the United States. Many of the organizations took months to detect their compromised positions or never did.

Provider organizations in the sample data accounted for 72 percent of malicious traffic, followed by business associates (9.9 percent), insurers (6.1 percent), clearinghouses (0.5 percent), pharmaceutical (2.9 percent) and other related health entities (8.5 percent). “The sheer volume of IPs detected in this targeted sample can be extrapolated to assume that there are, in fact, millions of compromised health care organizations, applications, devices and systems sending malicious packets from around the globe,” SANS concludes in the report. Provider organizations in the sample data included hospitals, physician practices, dentists, nursing homes, psychologists, chiropractors and pharmacies, among others.

High Price

The cost of a major breach can be astronomical, according to SANS. Health insurer WellPoint in mid-2013 paid a $1.7 million fine to the HHS Office for Civil Rights and agreed to a resolution agreement after a breach made protected health information on more than 612,000 individuals viewable between Oct. 23 2009 and March 7, 2010. But total costs of the breach for recovery, legal costs, new investments and providing credit protection services hit $142,689,666, according to SANS. Asked for comment on the costs of the breach, a WellPoint spokesperson said report authors did not contact the company for input and "the financial impact of the incident referred to in the report is a fraction of what is suggested."

The SANS report doesn't break new ground, but helps to focus organizations on widening their scope of protection, says Kate Borten, president at Marblehead Group, a Marblehead, Mass.-based health information technology security consultancy. "We know what the issues are, we just aren't doing it," she adds.

For instance, organizations are looking at network security more closely than previously, but not looking closer at the non-traditional information technology equipment such as printers, Borten says. And while organizations are more attentive to inbound filtering to catch malicious activity, they aren't as attentive to outbound filtering to make sure malicious stuff is being sent to others.

Overall, Borten gives the report mixed reviews because Web app security isn't strongly touched on and it is a huge issue, she says, and in some areas the report discounts the complexity of provider organizations and over-simplifies the challenges they face.

The SANS report is available here, brief registration is required.

For reprint and licensing requests for this article, click here.