Do No Harm
eBook - ePub

Do No Harm

Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States

Matthew Webster

Share book
  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Do No Harm

Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States

Matthew Webster

Book details
Book preview
Table of contents
Citations

About This Book

Discover the security risks that accompany the widespread adoption of new medical devices and how to mitigate them

In Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States, cybersecurity expert Matthew Webster delivers an insightful synthesis of the health benefits of the Internet of Medical Things (IoMT), the evolution of security risks that have accompanied the growth of those devices, and practical steps we can take to protect ourselves, our data, and our hospitals from harm.

You'll learn how the high barriers to entry for innovation in the field of healthcare are impeding necessary change and how innovation accessibility must be balanced against regulatory compliance and privacy to ensure safety.

In this important book, the author describes:

  • The increasing expansion of medical devices and the dark side of the high demand for medical devices
  • The medical device regulatory landscape and the dilemmas hospitals find themselves in with respect medical devices
  • Practical steps that individuals and businesses can take to encourage the adoption of safe and helpful medical devices or mitigate the risk of having insecure medical devices
  • How to help individuals determine the difference between protected health information and the information from health devices—and protecting your data
  • How to protect your health information from cell phones and applications that may push the boundaries of personal privacy
  • Why cybercriminals can act with relative impunity against hospitals and other organizations

Perfect for healthcare professionals, system administrators, and medical device researchers and developers, Do No Harm is an indispensable resource for anyone interested in the intersection of patient privacy, cybersecurity, and the world of Internet of Medical Things.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Do No Harm an online PDF/ePUB?
Yes, you can access Do No Harm by Matthew Webster in PDF and/or ePUB format, as well as other popular books in Technology & Engineering & Biomedical Science. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2021
ISBN
9781119794035
Edition
1
Topic
Technology & Engineering
Subtopic
Biomedical Science
Index
Technology & Engineering

Part I
Defining the Challenge

If we step back and look at the big picture related to insecure internet-connected medical devices, the concerns are primarily around risks to healthcare organizations and risk to data. Fortunately, there have been very few deaths related to these insecure devices, but as adoption of internet-connected medical devices continues to rise, so will the associated risks. If COVID-19 has taught us one thing, it is that tragedy for some is an opportunity for others. From a cybersecurity perspective, it is important to understand who these actors are, what they are motivated by, and how can we stop, or at least reduce, the number and/or effectiveness of these attacks.
Before we can do this, it is extremely helpful to understand why poor security on internet-connected medical devices is such a challenge for IT and cybersecurity practitioners and why the devices have so many challenges to begin with. Looking at poor security as an origin story provides us with the context for understanding how to proceed. The world of IT, and especially internet-connected medical devices, is filled with a complex interrelation of social, technological, and economic challenges. It is important to understand this complex relationship if we are to devise a strategy for best protecting the devices, our hospitals, and the associated data.
As you read this first part of this book, keep the bigger picture in your head in order to more fully understand how we ended up where we are today. We have legal requirements that are not always followed by manufacturers, which creates both challenges and victories for protecting our healthcare, our data, and occasionally our lives.

CHAPTER 1
The Darker Side of High Demand

The road to Hell is paved with good intentions.
—Henry G. Bohn, A Handbook of Proverbs, 1855
“First, do no harm” is attributed to the ancient Greek physician Hippocrates. It is part of the Hippocratic oath. The reality is that every day, doctors and hospitals need to make decisions about how to best help patients under the existing conditions. If doctors need to operate, they may harm the patient by making an incision—sometimes to save a patient's life. This is a calculated and acceptable harm from a moral perspective.
What isn't always as obvious to hospitals is the harm introduced by using an internet-connected medical device. In many cases, such as in hospitals, the doctors may have limited input about which devices are chosen for their environment. These devices have critical medical value not only for the hospital or doctor's office, but also from the patient's point of view. They are at the forefront of today's medical transformations. Often the harm that is introduced is unknown, unseen, or downplayed—if it is assessed at all.
This chapter explores, at a high level, the state of internet-connected medical devices and how those devices are impacting hospitals and unfortunately, and indirectly, human life. More importantly, this chapter covers the overall trends related to hospitals, partially as a result of internet-connected medical devices and how businesses evolved to the state they are in today. First, we need to understand the risks that internet-connected medical devices pose.

Connected Medical Device Risks

What exactly are the risks related to internet-connected medical devices? The hit TV show Homeland popularized the idea of an attacker assassinating someone by taking over a pacemaker. While this is not beyond the realm of possibility, the most common forms of attack utilizing internet-connected medical devices are ransomware and distributed denial of service attacks (DDOS).1 In the former case, the attacker takes over a system (often with malware, but sometimes with a password) and prevents (often through the use of encryption) the end user from using the system. In latter case, the attacker will own the device and use it to attack other sites.

Ransomware

Ransomware is essentially software that prevents systems from running. Criminals require that the owners pay to be able to gain access to their own systems. Imagine you had pictures of your family on your home computer and you could no longer access them unless you paid a fee. Now imagine critical medical systems rendered inoperable instead of family pictures. To make matters worse, once attackers are inside of systems, they often leave behind a way to gain access to them over and over again—meaning they are more susceptible to future attacks. This trend has only increased in the time of COVID. Obviously, the attackers do not care about the lives of others enough to not do the attacks.
Ransomware has been evolving tremendously over the last few years, and the number of the ransom demands has gone up significantly from a few years ago. In 2019 alone, 764 healthcare providers in the United States were hit with ransomware.2 One might be tempted to think that the attackers would not go after hospitals in a time of a global pandemic, but while this is the case for some attackers, the reality is that ransomware attacks are on the rise since COVID-19 hit.3 What is worse is that while ransom demands used to be a few hundred dollars, now they are growing and are often more than a million dollars. With so much to gain, it is no wonder that ransomware demands are on the rise. Clearly, hospitals have a great deal of risk related to ransomware.
The effect that ransomware has had on hospitals is crippling. The attackers are well aware that COVID-19 has severely stretched the resources at hospitals. They know that this is a life-and-death situation, which makes hospitals even more likely to pay the ransom,4 especially the smaller hospitals that may not have as mature of an IT and/or security program in place to protect their environments from the ravages of ransomware.5 Essentially, they are easier targets. Sadly, even larger, more mature organizations are susceptible to ransomware attacks, but can sometimes respond to them more effectively.
September 10, 2020, unfortunately marks a grim milestone for ransomware—the first indirect death. A patient was rerouted from Duesseldorf University Hospital in Germany as 30 of its internal servers were hit with ransomware. As a result of the subsequent delay getting the much needed medical treatment, the patient died.6 This particular attack was aimed at Heinrich Heine University and mistakenly hit the hospital because it is part of the same network. In this case, the perpetrators provided the keys to decrypt the systems and withdrew their extortion demands, but despite that, the hospital's systems were disrupted for a week.7
That was not the only death associated with ransomware in September 2020, unfortunately. Universal Health Services (UHS) was hit with a massive ransomware attack. UHS is a Fortune 500 company with more than 400 healthcare facilities in the U.S. and the UK. It provides services to more than 3 million patients yearly. In many cases whole hospitals were shut down and services were rerouted to other hospitals. Because of this rerouting of services, four people died.8 With the frequency of ransomware growing, these kinds of problems will not only continue, but will likely become worse before they get better.
It is important to note that medical devices are not the only avenue for ransomware attacks, but they are, arguably, the most egregious vector due to the gaps in their fundamental security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have—especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.9 That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.10 The potential for vulnerabilities is extremely high. In many cases internet-connected medical devices run on Windows XP, which is no longer supported. There continues to be new vulnerabilities found—many of which allow complete compromise of the whole system. Associated with a compromised system is a whole host of risks, including everything from the system not functioning to data being exfiltrated. Either way, these are risks to both patients and to hospitals.
Now let us think about connectivity. Today's world is also much more connected than ever before. Many systems connect back to something referred to as “the cloud.” While I will go into greater depth in later chapters about the cloud, it should be noted here that the cloud aggregates and correlates data in one location. It also comes with a whole new set of risks that adds an extra layer of complexity for IT and cybersecurity teams.
Let's take a ransom in another directi...

Table of contents