Researchers Uncover Healthcare Software Loopholes leaving medical devices vulnerable to hackers

11/22/2021

Information Technology (IT) has a firm slot in almost all professions. Whether it is teaching or healthcare, its impacts are everywhere. From multinational companies to country hospitals, everyone is reaping its benefits nowadays. Some conduct trades, some run their business globally while cutting off the significant expenditure on manual work via IT and AI. The same goes for health care. Several hospitals are now switching to Healthcare Software to save their time and energy.

The healthcare industry is also making good progress in technology. From the software that tackles sensitive information to the robotic equipment, the healthcare system is exploring the depth of the AI world.

Types Of Healthcare Software

There are various software out there that store patients' data and help medical professionals make the proper diagnosis. Apart from keeping the record of patients, they help the staff members as well. As per the need and requirements of both the doctors and the patient, there are various categories. Here are some of these

  • Electronic Health Record (EHR) Software - It has all the basic information about the patient, such as his medical history, his medications, diet chart, and in some cases, the procedures as well. In short, the part that benefits all medical workers is its ability to gather all the information at a place. Via such software, one can skip a long route of paperwork and the stress of keeping them aligned.
  • Medical Diagnosis Software - Its use is growing exponentially in the medical world. It helps make the proper diagnosis as the specialists from different fields share and compare the concepts and differential diagnoses.
  • Imaging and Visualization - helps explore the X-ray, CT scans, and MRI of patients and gives a better visuality. 
  • Medical Database Software - It works in the same way as EHR. However, MDS gathers data based on medical diagnosis. 
  • E-prescribing Software - It allows the doctors to communicate with the pharmacists while skipping the patient. It lowers the chances of errors and improves record management.
  • Online Appointment Scheduling - It saves time and energy for both the doctor and patients. Patients do not have to test their patience in long queues, and doctors can check the patients as per their capacity. Moreover, medical professionals can schedule their appointment and can track their routines at a glance.
  • Medical Equipment Management - It monitors the functionality of the medical equipment and helps to reduce their downtime. 
  • Hospital Management Software - It looks after the hospital's errands and manages various departments.
  • Medical Billing - Its task is to track the information of medical billing

Risk Of Data Breach

Having such fabulous software onboard is an innovative technology in the healthcare world. However, the risk of exploitation by hackers is always there. The likelihood of data breaching in healthcare is high in contrast to other professions. 

Not a lot, but there are some cases where the hackers invaded the healthcare software and snatched sensitive information. The recent happened hardly ten days back when a cyber gang hacked the record of a fertility clinic. The documents had delicate information of the patients ranging from their medical history to their test results. Besides this, they asked the management for a ransom for not leaking the details.

Now, take a ride back to a few months and look at the records of August 2021. The DuPage Medical Group - an independent group of physicians working in Illinois, notified 600,000 patients that their information was breached when unauthorized actors gained access to their system in July.

To avoid such cases in the future, many researchers are exploring the flaws in healthcare software. It would help to resist such intruders as these flaws are the gateway for hackers. Recently Forescout researched to explore the vulnerabilities in healthcare software. They warn nearly 4000 devices made by healthcare, government, and retail industry vendors are running such software.

Forescout Research On Vulnerabilities

The research was published on the 9th of November by Forescout Research Labs with the collaboration of Medigate Labs. Together they explored over a dozen vulnerabilities affecting the Nucleus TCP/IP. These flaws leave the system vulnerable to remote code execution, denial of service, and the most dangerous, the leak of information. They named these vulnerabilities the NUCLEUS:13. The nucleus is a part of various medical devices, especially the medical equipment for critical procedures ranging from patient monitors to anesthesia machines and whatnot. 

Just having a thought of such special equipment hacked by hackers is dreadful in itself. Therefore, to not let this happen in the near future, Siemens has issued updates fixing the vulnerabilities that impact the Nucleus RTOS. The firm is famous for managing data across critical networks. It works with federal officials and researchers to locate the vulnerabilities. 

It is expected that The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) will issue an advisory Tuesday. According to the source, it is supposed to encourage the users to update their systems. Matt Hartman, Deputy Executive Assistant Director for Cybersecurity at CISA, told CNN that they have begun working with their partners, including the health care sector, as well. 

Possible Measures

Meanwhile, the acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health, Dr. Kevin Fu, highlighted the need to identify the affected devices. She said that it's essential for manufacturers of medical devices to have such a mechanism that can "quickly ascertain if their devices are affected." Further, she said, the effect of these vulnerabilities could depend on the version of the software and its connection with the internet. 

In order to explore the seriousness of these vulnerabilities and their probable outcome, Forescout researchers tested them in a lab. They sent malicious commands to the building automation systems. According to the report, they took it offline and turned off the lights and HVAC system in a mock hospital room. However, as the source stated, for this to happen in actuality, the hacker needed to be on the network of local hospitals, or the building automation device should have access to the internet.

The vice president of research at Forescout Technologies, Elisa Costante, told CNN that she wants to highlight the importance of examining the aging software in key industries for security flaws. In addition, she said that there is "no evidence of this being exploited," but do we need to wait for it then raise awareness?

Data Breached Incidents In 2020

The concern is worthy as just three years back, i.e., in 2018, the record of around 15 million people breached. Adding to this in the year 2020 also received several ransoms despite the pandemic. Here is the list of the top 10 data breaching incidents of 2020. 

  • Health Share Of Oregon - 654,000 Patients
  • Florida Orthopaedic Institute: 640,000 Patients
  • Elite Emergency Physicians - 550,000 Patients 
  • Magellan Health - 365,000 Patients
  • BJC Health System - 287,876 Patients
  • Benefit Recovery Specialists - 274,837 Patients
  • Ambry Genetics - 232,772 Patients
  • PIH Health - 199,548 Patients
  • BST & CO. CPAs - 170,000 Patients
  • Aveanna Healthcare - 166,077 Patients

Data Breached Incidents In 2021

Although the current year hasn't ended yet, there is a whole list of such incidents that happened. In the middle of this year, the cyber division of the FBI issued a flash warning of a hive related to the ransomware attack on Healthcare Software. The FBI informed the people about the tactics, techniques, and procedures that can create challenges for defense and mitigation. In spite of detailed warning notice, the year faced several attacks on its healthcare system. 

  • Florida Healthy Kids Corporation - 3,500,000
  • 20/20 Eye Care Network, Inc. - 3,253,822
  • Forefront Dermatology - 2,413,553
  • NEC Networks, LLC - 1,656,569
  • Eskenazi Health - 1,515,918
  • The Kroger Co. - 1,474,284
  • St. Joseph's/Candler Health System, Inc. - 1,400,000
  • University Medical Center Southern Nevada - 1,300,000
  • American Anesthesiology, Inc. - 1,269,074
  • Professional Business Systems, Inc. - 1,210,688

Conclusion

To conclude, hacking of Healthcare Software carrying sensitive information can be one of the worst nightmares for any hospital or clinic. The issue in such cases is the record, holding the details such as history, lab reports, and procedures. While considering this, ransomware demands high ransom from the management as the patient's information is bound not to be revealed.

It is considered that the hackers enter into the system via loopholes, or you can say vulnerabilities. Under such circumstances, the thing that can resist these malicious hackers is finding out the weak points and correcting them independently. The Forescout Research Lab stepped forward and listed down the 13 vulnerabilities in the Nucleus RTOS, developed by the Siemens Group. In response to the research, Siemen issued a patch that corrects the loopholes. Moreover, it is expected that The Department of Homeland Security's Cybersecurity and CISA will encourage the users to update their systems. 

Working on such loopholes is the need of an hour. According to the expectation, the IT market will grow by 13.8% in healthcare between 2019 to 2027. In order to cater to such enormously big data, it is essential to guarantee security and make it a safe spot for sensitive data.