Remote Access System Hacking Is No. 1 Patient Safety Risk (healthitsecurity.com)

← Back to Stories (view on slashdot.org)

Remote Access System Hacking Is No. 1 Patient Safety Risk (healthitsecurity.com)

Posted by msmash on Wednesday October 3, 2018 @06:45AM from the closer-look dept.

Hackers attacking healthcare through remote access systems and disrupting operations is the number one patient safety risk, according to the ECRI Institute's annual Top 10 Health Technology Hazards for 2019. From a report: ECRI Institute said it published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period. "Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes," the report warned.

The ECRI report [PDF] said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining. "The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death." The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.

35 comments

Min score:

Reason:

Sort:

Really? by bobstreo · 2018-10-03 06:53 · Score: 2

I always thought it was the antibiotic resistant bacteria, incompetent doctors, and greedy hospital boards and administrators.
Shouldn't all the access issues be covered under existing acts like HIPAA?
Two Factor Authentication should be the minimum requirement for remote access to anything in a hospital or within a patient...
1. Re:Really? by jellomizer · 2018-10-03 07:01 · Score: 1
  
  I always thought it was the antibiotic resistant bacteria: Only a very small portion of the patient population is affected from this.
  incompetent doctors: Normally these people just prolong pain and suffering vs. actually put safety at risk.
  greedy hospital boards and administrators: They are too busy impressing each other then actually doing anything.
  Shouldn't all the access issues be covered under existing acts like HIPAA? They are, but there is wiggle room, and most professionals especially ones under pressure will find workarounds. Or smaller institutions, will just hope it will slip by.
  Two Factor Authentication should be the minimum requirement for remote access to anything in a hospital or within a patient...: It is, they just don't use it.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:Really? by Kjella · 2018-10-03 07:15 · Score: 2
  
  I always thought it was the antibiotic resistant bacteria, incompetent doctors, and greedy hospital boards and administrators.
  It still is:
  
  Top 10 Health Technology Hazards for 2019
  Not that much left if you exclude people and processes...
  
  --
  Live today, because you never know what tomorrow brings
3. Re:Really? by Anonymous Coward · 2018-10-03 08:31 · Score: 0
  
  " incompetent doctors"
  Heavens! That is blasphemy! They went to university and are very smart!
4. Re:Really? by Anonymous Coward · 2018-10-03 12:21 · Score: 0
  
  CROFLOLOLOLO...
  Chris s'est fait pranké par un québécois qui a gagné ses élections!
  Et maintenant, Chris n'a plus de vues sur son canal YouTube!!!!
  P.S. Chris, je suis québécois et non canadien gros dummy américain! Seulement aux États-Unis existe-il pareil energumène!!!! :)
  À mes amis américain, vous pouvez garder votre creimer chez-vous! Merci!
  https://slashdot.org/comments....
  https://slashdot.org/comments....
  CROFLOLOLOLO
  CROFLOLOLOLO CROFLOLOLOLO
5. Re:Really? by Anonymous Coward · 2018-10-03 14:07 · Score: 0
  
  CROFLOLOLOLO...
  Chris was pranked by a Quebecer who won his election!
  And now, Chris has no more views on his YouTube channel !!!!
  PS Chris, I'm from Quebec and not Canadian big dummy american! Only in the United States is there such energy! :)
  To my American friends, you can keep your creimer at home! Thank you!
  Hey, FCLM! How are the neighbors and kids?
6. Re:Really? by Anonymous Coward · 2018-10-03 14:36 · Score: 0
  
  Chris!
  
  Seulement aux États-Unis existe-il pareil énergumène!!!! :)
  Only in the United States is there such energy! :)
  CROFLOL! What a dumb and incorrect translation Chris!
  Dictionary French-English
  énergumène noun, masculine
  oddball n
  https://www.linguee.com/french...
  So now you know how to introduce yourself in French!
  --
  Balena!
7. Re:Really? by Anonymous Coward · 2018-10-03 16:52 · Score: 0
  
  Google Chrome. Does good job in translating Russian.
8. Re:Really? by Anonymous Coward · 2018-10-03 17:39 · Score: 0
  
  So your ex-military buddies who you mentioned here several times were Russian Chris?
  Now things are getting clearer at least. Are the Creimer family typically from the East part of Germany or the West?
  That could indeed explain a lot and make us take a leap forward with regards to buffoons as yourself.
  Thanks Chris, very enlightening!
BSOD in the Emergency Room by Seven+Spirals · 2018-10-03 06:54 · Score: 3, Insightful

One time I took a friend to the ER and she wasn't injured and couldn't really represent herself. The nurse who was going to check us in couldn't get the job done because her tablet kept getting a BSOD. All IT systems can go down, but goddamn, wouldn't you think that having Windows in the ER would be beyond "asking for it" ? I'm not the biggest fan of AIX, but at least the other ER I took her to could check her in, they used an AIX based patient system. Unbelievable. I bet they have insecure-as-hell Android and iOS systems handling patient records, too. What's the advantage of that? Nurses can take selfies while the system is down (or being spied on by Russians and Chinese) ?
1. Re:BSOD in the Emergency Room by antdude · 2018-10-03 16:35 · Score: 1
  
  Don't they backups not to use tech? Did they forgot how to do those? Can't always rely on tech!
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
2. Re:BSOD in the Emergency Room by Seven+Spirals · 2018-10-12 13:13 · Score: 1
  
  I know right? Well, that reminds me of the time when I was staffing at Def Con 5 (I think - been years ago) and we were using the Alexis Park Hotel. We warned the owner and staff about idiot script kiddies breaking and "hacking" everything in sight. They laughed and said "We ran this hotel for 20 years with nothing but pen and paper. It was a lot better in most ways. If they break anything, we'll just go right back to that method. It works just fine and it's not hackable." I have to say that I could have kissed the lot of them. They were wonderful people with a refreshingly Luddite confidence I found very practical.
3. Re:BSOD in the Emergency Room by antdude · 2018-10-12 13:31 · Score: 1
  
  Yeah. I wonder if they can do that these days.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Nonsense by Anonymous Coward · 2018-10-03 06:55 · Score: 0

Medical errors are the greatest risk in the real world. They are the third leading cause of death in the US.
https://www.hopkinsmedicine.org/news/media/releases/study_suggests_medical_errors_now_third_leading_cause_of_death_in_the_us
Not listing to your IT Staff #1 Patient Risk by jellomizer · 2018-10-03 06:55 · Score: 1

I get yelled at by Doctors all the time, because we force things like multi-factor authentication, auto locking system after 10 minutes, forced encryption on devices, when deploying new software having to do a full security review, often rejecting the coolest product for a boring old one, just because it meets security standards, setting up the network so you just can't plug in any device anywhere....
However no matter how much security we try to put in place, the Doctors who think they know better and think this security is for the Registration Staff, will find ways around it and not report it back, so it can be addressed.
There is more harm in having data missing or stolen, then having to take an extra 20 seconds to log in.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:Not listing to your IT Staff #1 Patient Risk by gweihir · 2018-10-03 07:37 · Score: 1
  
  Many MDs do not get that they are pretty incompetent with regards to IT. Dunning-Kruger effect at work. Before some large hospitals have to shut down due to this arrogance and stupidity, nothing will change.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:Not listing to your IT Staff #1 Patient Risk by jbmartin6 · 2018-10-03 08:02 · Score: 2
  
  So true, I once worked for a hospital with no 2F on the remote access system, and the head of the ER department used his last name as his password, and refused to change it.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
3. Re:Not listing to your IT Staff #1 Patient Risk by jellomizer · 2018-10-03 08:09 · Score: 1
  
  Intelligence + Incompetence is very dangerous.
  The thing about IT is an Intelligent person can perform any particular action of our job. Writing a program, configuring a network, changing security permissions...
  However competency is knowing when to use a skill when not to, and planning for the consequences for such actions.
  Professional Competent IT guy:
  Can I be 100% sure the solution will work... No, I cannot. However I know the worst case scenario if this fails, and how to fix it. Also I had accounted for and made sure many "worser" cases had already been addresses.
  Incompetent guy who thinks he can do it:
  Look at this solution that I made, it is done in half of the the time IT quoted for it. Let me run this and get the job done... it may work... however it may not. Opps it looks like really messed up, and the data is gone. OMG what am I going to do now, I am not in big trouble.
  Sheepishly calls IT, who has a backup, because they were competent enough to plan for this guys incompetence.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:Not listing to your IT Staff #1 Patient Risk by gweihir · 2018-10-03 09:33 · Score: 1
  
  Pretty much this. Intelligent folks that overestimate their skills (usually from lack of experience, sometimes from overestimating their intelligence) can do enough damage to be dangerous. And MDs go though a selection that pretty much makes sure they are intelligent and they basically rule all things medical. They also think that without IT they could still keep a large hospital running. True for a few days and for emergency services only, think large catastrophe or the like. False for 90% of their business.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Not listing to your IT Staff #1 Patient Risk by demonlapin · 2018-10-03 10:44 · Score: 3, Interesting
  
  Hey, you, IT guy? I'm a doctor. Here's the other side of the same thing:
  
  I didn't want the hospital IT system I got. They asked me (and all the other doctors) what we wanted, then ignored our responses. I went to administration to tell them that I wanted to be part of every committee that had something to do with the EMR purchase and deployment (however bad I may be, I can guarantee you I'm better than almost anyone else you'll get), and got ignored. So... nobody cares what the people who use the thing on a daily basis think? Not a good starting point.
  
  Multi-factor ID: not really a major issue when, say, I'm at home and want to log in to do a bit of work; that's pretty straightforward. But here's the thing about the ten-minute lockout and twenty-second login process: I don't have a desk at work. I migrate from place to place, and I do it a lot. Twenty seconds per login is around thirty minutes of my day, on average. If you can't come up with a faster, better solution that allows me to do my work, the problem isn't with me - it's with your solution. And I'm somewhat unusual among doctors, because I only work at one hospital - many have to memorize information at three or four different hospitals, all with different criteria on what qualifies as an adequate password and different time frames for changing them.
  
  Forced encryption on devices: nothing is stored on my device, so it doesn't need encryption except for during transmission of information. I've seen this play out in very negative ways, because "forced encryption" is generally a synonym for "managed by IT" - which means that the power-mad person in charge of IT is watching what I do with my iPad when I'm at home. My tastes are pretty vanilla, but if you want to monitor everything I do with my devices and read all my email, then (at a bare minimum) you can pay for dedicated devices, ISP, and home office to put them in, and you can give me a work email address for hospital business - I'm not an employee of the hospital, so I don't have one currently.
  
  I don't hate IT people. You do a difficult and largely thankless job. But from the user's perspective, we have a lot of "tr0ub4dor&3" vs "correct horse battery staple" problems. My current work password is really simple - about as simple as one can be if you have to have a capital letter, a lowercase letter, and numbers, with a minimum length of eight characters, changed every three months, with no recycling of the past nine passwords. I've got a good password for my important personal things. It is not going to show up in a dictionary attack, I won't forget it, and even if you know me really well, it's not an easy guess - but I don't have ten passwords like that.
Keep critical systems offline by dddux · 2018-10-03 06:55 · Score: 1

I can't understand why all parts of the network should be accessible remotely? At least they should keep the critical systems offline, and just part of a separate, internal network. So the solution is simple, but why are these people not able to see it?

--
"It is no measure of health to be well adjusted to a profoundly sick society." - Jiddu Krishnamurti
1. Re: Keep critical systems offline by Anonymous Coward · 2018-10-03 06:57 · Score: 0
  
  Yup. Better to have limited functionality in some cases
2. Re:Keep critical systems offline by jellomizer · 2018-10-03 07:07 · Score: 1
  
  What system shouldn't be used at all remotely and not communicate with systems that shouldn't be used remotely.
  If a doctor is doing some work remote, he will need access to the EHR, which needs access to archive, and lab systems, then data will be sent to the billing system, accessible by the billing staff who is often working remote as well.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:Keep critical systems offline by Anonymous Coward · 2018-10-03 08:57 · Score: 0
  
  So... something like this?
  https://xkcd.com/2044/
4. Re:Keep critical systems offline by demonlapin · 2018-10-03 11:01 · Score: 2
  
  Well, here's the thing: a lot of "hackable" stuff consists of things like pacemakers, that really have almost no security in place at all - they just rely on the fact that they have failsafe modes (and they do), and on the fact that very few people have a pacemaker interrogator handy.
  
  Aside from that, medical records have to be remotely accessible if there is to be any point in having an EMR - paper charts had their downsides, but physical security against outside attacks was pretty good, and you certainly couldn't do a mass-scale info swipe. My wife and I are both doctors, and she regularly does work while we're on vacations. She's looking up records, reading notes, interpreting labs... sure, you could lock her out, but you will kill most of the value of EMR when you do so. You'll also be requiring most doctors to drive in every time they get a phone call from the ER - which is not going to be a popular move.
5. Re:Keep critical systems offline by Anonymous Coward · 2018-10-03 11:26 · Score: 0
  
  For instance, an X-ray machine should not be accessed from anything but its own control panel. Need the data from the machine? USB drive to a port programmed to not read from the drive.
6. Re:Keep critical systems offline by Anonymous Coward · 2018-10-03 13:31 · Score: 0
  
  That's all well and good.
  Until your folks who interpret the X-ray are in another state. Or country.
Number one thread: Bogeymen by Anonymous Coward · 2018-10-03 07:08 · Score: 0

"Hacking" can mean anything at all. Easy way to the top of the threat list, no?
But not useful. As usual from msmash.
Dunno about that by Anonymous Coward · 2018-10-03 07:23 · Score: 0

800,000 went to US hopsitals for non-life threatening reasons and died before leaving the death houses. Sounds like they kill people there. A LOT! Organ harvest? Jobs got his liver REAL FAST! INVESTIGATE!
Insulin pumps scare the hell out of me by greenwow · 2018-10-03 07:43 · Score: 2

A coworker's daughter has one, and the software has locked up several times requiring her to remove the battery to get it working again. It's also required several software updates. If it failed and provided too much insulin, it could easily kill her.
1. Re:Insulin pumps scare the hell out of me by Anonymous Coward · 2018-10-03 07:50 · Score: 0
  
  Mine has a wireless remote which is convenient since the pump is often under my clothing, but it is scary that a couple of times when I was near Bangor Navy base, it started beeping. I talked to the manufacturer, and they talked me through limiting the maximum dose.
Too late by Anonymous Coward · 2018-10-04 06:04 · Score: 0

Worked in the medical device industry and all security of all hardware and software is very poor.
In fact, the security of medical devices and lab information systems is so bad, anyone with a high school education can figure out how to break into, or brick a device or lis in under 5 minutes.
Oh, and the device manufacturers have intentionally ignored security as its not needed for FDA and/or UL approval.
Find a medical device which DOES NOT have an exposed USB port. Its difficult to do.