Imaging and the Threat to Digital Information Security

Hospitals are discovering that the quality of care is increasingly moving to a platform that is dependent upon its technology. As a result, medical devices are some of the most vulnerable areas of attack.

Knowing the type and motivations for attack, understanding the current risk of your institution’s medical devices, and putting into place security measures to protect vulnerabilities will go far in establishing best practices, Kevin McDonald, BSN, MEPD, CISSP, director of clinical information security at the Mayo Clinic, said at RSNA 2015.

McDonald’s team recently looked at their network at Mayo and found that “of several hundred thousand things connected at the end of our network, only 60% were identifiable connections. The other 40% included medical device images from PACS, such as CT and MR.” He said at this point, the team realized that “their attack surface area was huge.”

Attackers and Motivation for Attack
McDonald said that in order to know how to improve security, first be aware that hacking and other forms of attack are real and a real threat. The most prevalent form of attack comes from employees, both current and former, who have the most access to devices. Other forms of attacks come from “hacktivists, organized crime, and other countries,” where medical information can be used as currency.

“The skill level required to cause harm is going down and the damage can be deliberate, collateral, or unintentional,” he said.

The motivators for digital information attacks are numerous and “active adversary must be assumed,” McDonald said. Disgruntled employees and patient families, hacking brag rights, pointed social views, intellectual property theft, and the use of medical health records sold to perform billing fraud and self-controlled drugs are several of the examples McDonald used to show why technology is vulnerable.[[{"type":"media","view_mode":"media_crop","fid":"44509","attributes":{"alt":"Kevin McDonald","class":"media-image media-image-right","id":"media_crop_5054611733225","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"4988","media_crop_rotate":"0","media_crop_scale_h":"0","media_crop_scale_w":"0","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"float: right;","title":"Kevin McDonald","typeof":"foaf:Image"}}]]

The attack vectors used include social engineering and phishing which have high success rates, along with “drive by” downloads, storage device transmission, and internet connected devices and systems, McDonald said. These vectors download malware to infect devices and extract information.

Understanding Your Medical Devices and Their Risks
“Most medical devices were designed and built during a kinder and gentler time,” McDonald said.

 Knowing that most devices are really computers with “some high priced and specialized peripherals plugged into them,” is the key to understanding their risks. Medical technology has a long service life; most device companies focus on patient care functionality instead of attack vectors and methods, and many applications within the devices have no passwords, are unable to run anti-virus, and are vulnerable to a large number of known exploits, he said.

“Security is an afterthought and often not seen as a competitive edge, leaving vendors needing to catch up,” McDonald said. Many current medical devices also have configuration vulnerabilities including unneeded files, default settings and old passwords, they run on old unpatched software, and they lack encryption, he said.

Proactive Security Measures
Establishing best practices is essential in securing your digital information. Among several simple, yet effective, strategies practices can implement, according to McDonald, include the use of strong passwords, eliminating suspicious e-mails, using clean media, running anti-virus, including security in your contracting process, and keeping your operating systems and applications updated.

More advanced security measures include monitoring super-user/administrator accounts closely, removing any unnecessary software from devices, use whitelisting for high-risk devices, patch often, and maintain a good inventory of all devices with the current state of their hardware and software, McDonald said.

It is imperative to use a team approach when providing proactive security measures. Providers, as well as vendors, play a role in helping to narrow the surface area at risk. At the Mayo Clinic, McDonald found through his testing process that “none of the [security issues] we find are new, all of the things we find are fixable, this is not a technology issue, this is a development issue, a person issue, a culture issue.”