By Oscar Miranda, Chief Technology Officer for Healthcare at Armis
The healthcare industry is under attack, with 34% of healthcare organizations hit by ransomware in the last year. Automated processes and technology have long been at the forefront of healthcare innovation. In fact, today, 80% of North American hospitals trust systems like Swisslog Healthcare TransLogic® Pneumatic Tube Systems to transport patient medications and supplies. But these same tools and systems, that offer and afford life, can also wreak havoc if left unprotected. These attacks leave critical operations and processes inaccessible, compromising patient care and leaving patients at their most vulnerable. Healthcare systems are increasingly susceptible to cyberattacks and remain a target-rich environment for threat actors due to outdated legacy technology and unmanaged connected devices. There is an incredible number of connected devices that are in use in the patient journey—from the moment a patient schedules their appointment online, to the time they walk into the hospital for check-in, to the time they spend in the hospital room itself—creating a large attack surface for threat actors hoping to take advantage of sensitive patient information. As healthcare organizations continue to be targeted by threat actors, it’s essential for these organizations to create a comprehensive cybersecurity strategy to drive cyber resilience.
The rise of connectivity in healthcare
Ransomware attacks on healthcare institutions are soaring. Threat actors are actively targeting the healthcare industry through outdated IT infrastructure and antiquated cybersecurity systems. While innovations in healthcare technology have streamlined every step of the patient journey, outdated connected medical devices create key entry points for cyberattacks. Healthcare institutions rely on connected devices to monitor patient vitals and to guide diagnosis, and cannot afford to lose access to its operations and patient data. These devices, which range from the check-in kiosk to vital sign monitoring equipment, have become essential to the patient journey. The reality is that these connected medical devices, despite its importance, are the weakest security link in healthcare and serve as an attack vector for threat actors.
- PwnedPiper vulnerabilities: Researchers from Armis discovered nine critical vulnerabilities known as PwnedPiper in Swisslog Healthcare’s TransLogic® Pneumatic Tube Systems (PTS). This complex system, which is installed in over 80% of all major hospitals in North America, uses compressed air to transport medical supplies in tubes—allowing medical staff to focus on patient care. The system plays a crucial role in patient care in over 3,000 hospitals worldwide and is utilized nearly 100% of the time. The PwnedPiper vulnerabilities, if exploited, could have allowed threat actors to gain complete control over the entire PTS network and potentially access sensitive hospital information. The prevalence of the Swisslog PTS systems highlight the potentially devastating effects of compromised medical technology, if exploited.
A recent study found that as many as 83% of connected medical devices are vulnerable due to outdated operating systems and allow malware to spread to other connected devices on the same network. In addition to legacy issues, healthcare institutions have limited visibility into the traffic and behavior of its connected devices, leaving significant security gaps in its network. Threat actors are increasingly taking advantage of lax, outdated security on connected medical devices to breach healthcare networks and sensitive patient records. Healthcare institutions operate an extensive network of connected medical devices to streamline the patient journey, but failing to secure these connected devices from threat actors are leaving patients at risk.
When ransomware compromises patient care
Attacks on healthcare institutions have the potential to halt hospital operations and delay patient care—jeopardizing patient lives. The growing threat of ransomware in the healthcare industry has direct consequences on hospital operations and the hospital’s ability to save lives. Despite this, patients are largely unaware of security risks while staying at a healthcare institution. The patient journey is incredibly reliant on connected medical devices to improve quality of care. These connected medical devices are used to monitor a patient throughout their stay at the healthcare institution and even from remote locations. Healthcare providers have real-time insight into their patient’s health through this connectivity, which drastically improves the level of care provided. Unfortunately, most connected devices were not designed with security in mind, making them an appealing target for threat actors to exploit. Patients are also not concerned with security risks associated with connected medical devices despite recent ransomware attacks demonstrating huge implications on patient safety.
- Healthcare giant hit by ransomware: In late 2020, Universal Health Services (UHS), one of the largest healthcare systems in the United States, was hit by a ransomware attack. The attack shut down UHS’ network and IT systems, impacting a multitude of facilities across the country. Patients reported delays in medical services, medical staff were unable to access patient records, and ambulances were diverted to neighboring hospitals. These disruptions forced facilities to operate with limitations, which potentially led to dire consequences for patients in need of medical attention.
- Death in Düsseldorf hospital attack: The first attributed death from a ransomware attack occurred when threat actors hit a University Hospital in Düsseldorf in 2020. The attack crashed hospital systems and forced the hospital to turn away patients. As a result, a woman with a deteriorating condition was rerouted to a hospital 20 minutes away, which delayed the patient’s treatment by an hour and ultimately ended in her death. The fatality is the first recorded death from a ransomware attack.
Patients are directly impacted by cyberattacks on healthcare institutions, which are increasingly targeted by threat actors. Connected medical devices have a profound impact on the patient journey and unfortunately, the consequences for failing to secure them are equally as profound.
Rethinking security around connected devices
Ransomware attacks on healthcare institutions have shown no signs of slowing down. As such, healthcare institutions need to rethink its approach to security to mitigate damage from these attacks. The healthcare industry has become increasingly reliant on technology—from medication dispensing equipment to consumer wearables— to improve patient care. While connected medical devices enhance the patient journey, they also act as attack vectors if not properly managed or secured. Healthcare institutions are plagued by outdated legacy systems which are difficult to patch and suffer from limited visibility into the traffic and behavior of its connected medical devices. Healthcare institutions are also responsible for securing its connected devices in order to protect hospital operations, medical staff, and patient lives from potential threats. To start, healthcare institutions need to identify and monitor all connected devices in its network to help identify potential threats and suspicious behavior in order to implement appropriate security measures for incident response. Additionally, it will also need to restrict network and device access to reduce the amount of entry points for threat actors. With the rise in cyberattacks, the healthcare industry needs to alter its security strategy to proactively focus on visibility and access into connected devices.
The future of connected devices in healthcare
Today’s healthcare institutions rely heavily on secure IT infrastructure and connected medical devices to facilitate the continuous delivery of patient care. This connectivity and data, in turn, drives healthcare innovation and the future of medical technology and patient care. With the rise in ransomware on healthcare institutions, the future of the healthcare industry is dependent on addressing and securing entry points around connected devices. The PwnedPiper vulnerabilities in Swisslog’s PTS systems shed light on the potential for security risks to unravel and effectively shut down hospital operations. It’s essential for the healthcare industry to bolster its security posture by proactively detecting and monitoring potential threats and vulnerabilities in order to reduce the risk associated with connected medical devices and increase cyber resiliency. A connected healthcare system, when properly secured, drastically improves clinical operations and operational efficiency and enhances the patient journey with improved access and care.