Share this article on:
The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S.
This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems.
These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue.
In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks. Many vulnerabilities remain unpatched and outdated and unsupported operating systems are still widely used.
Healthcare organizations on both sides of the Atlantic have upgraded some systems but many healthcare providers still rely on legacy software and equipment. All too often there is a lack of visibility into all devices connected to healthcare networks which hampers the remediation of vulnerabilities. Patching all systems promptly remains a major challenge in healthcare.
Action is being taken to address medical device security although progress is slow. Recently, the U.S Food and Drug Administration announced a new plan which will require all medical device manufacturers to incorporate the capability to update their devices throughout the entire life cycle of the products. While such measures will certainly help to keep new medical devices secure, it will do nothing to address the problem with older devices.
The use of legacy software and outdated equipment will continue to leave healthcare organizations vulnerable, but all too often there is little alternative. Aging devices and outdated software continue to be used because there are currently no viable alternatives. Even when it is possible to update devices and operating systems, identifying and managing vulnerabilities is a major challenge, and one that comes at a considerable cost.
Healthcare providers are often forced to conduct a cost-benefit analysis to determine the value of continued use of certain technologies and the cost of remediating vulnerabilities. If the cost of updating and maintaining the devices is too high and there are no viable alternatives that provide the same benefits, the risks associated with the devices have to be accepted.
Even if manufacturers were forced to continue to provide updates to legacy software and equipment, the time and resources that would need to be devoted to cybersecurity would undoubtedly have a negative impact on the ability of manufacturer to develop new devices and more advanced treatments, which would have a negative impact on patients. Unfortunately, there does not appear to be an easy solution.
The U.S. House Energy and Commerce Committee is well aware of the problem and is now seeking help from industry stakeholders on how best to tackle the issue and improve cybersecurity.
“Though hard data about the exact costs are difficult to determine, one cybersecurity professional estimated that fixing a single vulnerability may cost an organization anywhere from $400 to $4,000,” wrote the Committee in its recent Supported Lifetimes Request for Information. “Considering the fact that many popular medical technologies leverage software and hardware with hundreds to thousands of known vulnerabilities, let alone unknown ones, vulnerability identification and management can quickly become a daunting task.”
“To understand the full scope of the challenge and potential paths to address it, we require insight from stakeholders of all sizes, from all parts of the health care sector.” Input from industry stakeholders and others has been requested by May 31, 2018.
The House Committee on Energy and Commerce Request for Information on Supported Lifetimes can be viewed on this link.