HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Risks of Medical Devices Explored by Check Point

Researchers at Check Point have demonstrated just how easy it can be to gain access to IoT medical devices and warn that the security risks of medical devices cannot be ignored.

There have been major technological advances in recent years that has resulted in an explosion of new medical devices, but the IT environments that the devices are incorporated into often lack appropriate security controls.

One of the main problems is many medical devices run on legacy systems and operating systems such as Windows XP, Windows 2000, and Windows 7.

Those operating systems are no longer patched and contain vulnerabilities that could easily be exploited to gain access to patient data or the network to which the devices connect. Even when patches are available, applying them can be difficult and involves considerable downtime. Consequently, devices often remain unpatched and vulnerable to attack.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Many healthcare providers also use medical devices from a wide range of manufacturers. Even identifying vulnerabilities and ensuring patches are applied can be a major challenge.

Check Point Demonstrates Security Risks of Medical Devices

In a recent blog post, Check Point researchers demonstrated just how easy it can be to hack a medical device. Their “UltraHack” demonstration showed a vulnerability could be exploited to hack an ultrasound machine and gain access to sensitive patient information.

The ultrasound machine was running on Windows 2000 and finding a vulnerability to exploit to gain access to the system was far from difficult. Access to the system was gained and the researchers were able to download data stored on the device, including DICOM images.

In the demonstration, the researchers showed how images relating to a particular patient could be replaced. Alternatively, malware or ransomware could be uploaded to the device.

While this attack was demonstrated on an ultrasound machine, vulnerabilities could easily be exploited on other medical devices.

IoT Devices are an Attractive Target for Hackers

Healthcare providers are a major target for hackers. They store large quantities of highly sensitive information which can be used by criminals to steal identities, submit fraudulent tax returns, obtain medical services and prescriptions through medical identity theft, gain access to patients’ financial accounts, and potentially conduct attacks to cause patients harm.

Ransomware attacks can also be extremely profitable. If sensitive medical information is encrypted, ransoms can be demanded. In many cases, healthcare organizations have had been forced to pay the ransom demand to regain access to their data.

As more devices are used in healthcare, the problem is likely to get worse. Check Point cites a Business Insider report which suggests that the use of healthcare IoT devices will increase from 95 million devices in 2015 to 646 million in 2020. By the end of 2019, 87% of healthcare organizations will have adopted IoT devices.

Ensuring devices are only run on supported operating systems and patching promptly will help to improve security, but with hundreds or thousands of devices connected to the network, identifying and addressing vulnerabilities can be an almost impossible task.

Check Point suggests an advanced prevention security solution is now essential to help address the security risks of medical devices. Network segmentation is also a must. “Separating patient data from the rest of the IT network gives healthcare IT professionals a clearer view of network traffic to detect unusual movement that might indicate a breach or compromised [internet of medical things] device,” explained Check Point. “Segmentation would also enable these organizations to prevent data stealing or encrypting malware from propagating further across the network and instead isolating the threat.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.