Image for Hospital IT Security is Unequivocally Terrible
Avatar image of Jesse Schooff

Hospital IT Security is Unequivocally Terrible

The medical professions have some of the strongest rules governing confidentiality and privacy. IT professionals, likewise, are concerned with appropriate security and access. One might assume, then, that medical IT is a shining example of technology privacy. One would assume incorrectly.

On Friday, May 12, 2017, an enormous ransomware attack began spreading across Europe. Ransomware locks users computers and encrypts their files until they pay a ransom (to the hacker who created or deployed the ransomware). Worse, particularly affected by the attack was England’s National Health Service, which had several hospitals virtually shut down. Experts say that the NHS was likely not specifically targeted. Nonetheless, they were especially vulnerable.

The medical professions have some of the strongest rules governing confidentiality and privacy. IT professionals, likewise, are concerned with appropriate security and access. One might assume, then, that medical IT is a shining example of technology privacy. One would assume incorrectly: in many cases, medical IT is a privacy and security nightmare.

First off, hospitals are hotbeds of specialized devices running outdated and insecure operating systems. A 2015 cover story by Bloomberg detailed one security researcher’s attempts to get the vulnerabilities in a common infusion pump fixed; vulnerabilities which could allow an external attacker to remotely command a pump to deliver an overdose of medication. The researcher, Billy Rios, spent years trying to make the FDA and DHS aware of his concerns, and was at times met by outright hostility from device manufacturers and the medical community. 

A study released last year by researchers at Dartmouth College, the University of Pennsylvania and USC found endemic problems in hospitals, with a near-total disregard for good password policies and IT security best practices. As Kim Zetter over at Wired extolls, telling doctors and other staff what they can and can’t do, in an environment where time is of the essence and patient lives are at stake, is next to impossible. 

Savvy news-readers will know that over the past few years, England’s National Health Service has been fraught with IT security problems. NHS Digital has stated that cyber attacks on the NHS were on the rise in 2015 and 2016. Another mass ransomware attack crippled several NHS hospitals in November 2016, forcing the cancellation of hundreds of surgeries. In March 2017, insufficiently-restrictive permissions allowed patient records from 2,700 general practices to be accessed by strangers. It also doesn’t help that an enormous number of NHS systems are running Windows XP (which is now 16 years old). It’s not just England’s hospitals that are experiencing the plague of ransomware, however. According to a report by McAffee, the healthcare sector is experiencing 20 malware-related data loss incidents per day.

With all of this taken into account, it may seem like mere officious nagging to tell users not to share their passwords, to update their software, and be careful not to click on suspicious e-mails. But today’s ransomware attacks leverage a bug patched by Microsoft two months ago, a report from last year showed that 93% of phishing e-mails contained ransomware, and reusing passwords can allow malware to spread even more rapidly between machines. These aren’t just nitpicky details, they’re critical, first-line safeguards for protecting systems.

To put this in terms doctors might be able to appreciate, eating a cheeseburger every once in a while probably won’t hurt you, but eating poorly every day for years might eventually lead to a heart attack. This is how we need to think of the maintenance and diligence required of users with regard to IT systems: minor lapses in users’ security practices that may not seem immediately significant will add up over time, with disastrous results. 

So how do we reconcile the necessity of proper security diligence with the urgency of the hospital setting? It’s not an easy question to answer, but as with any issue pertaining to healthcare, it’s utterly critical. This is a conversation which governments, along with the medical and technology communities, need to have right now. It’s going to require innovative thinking, and a mutual respect for the inherent complexities of both medicine and IT, and how they intersect.

When it comes to our healthcare, we can’t afford to wait.


AFTERWORD:

It bears mentioning that a security bug being leveraged by this ransomware was part of the NSA’s zero-day hoard (which, along with other hacking tools, was released by a hacking group in April). Unfortunately, bugs kept secret by intelligence agencies for their own uses can also be leveraged against innocent parties by criminals. I have recently argued very vocally against zero-day hoards for this exact reason.


Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca



Take action now! Sign up to be in the loop Donate to support our work