Pierluigi Paganini December 21, 2011

The medical industry is historically one of the sectors that has benefited more than others for the introduction of technology. Devices allow ever more complex operations every day to millions of patients and to medical equipments, from health conditions monitoring to remote surgery. Informations systems manage massive amounts of sensitive information, making them available to medical staff and users through computer networks of various kinds. The introduction of mobile devices has finally been received with great enthusiasm … patient data always at hand and with them the opportunity to interact for any need, from an examination booking to a medical record querying.

But what is the downside? To a such robust boost of technology not corrispond the same effort on security side. The most frequently used applications in this area are vulnerable to every kind of attack. Fully exposed to attacks of various kinds are on the agenda. We observe a completely lacks of awareness on how critical can be a cyber attack for medical structures. No matter if the weapon used is a virus, or DDOS attack conducted, needless to discuss the possibility of an intentional attack rather than an accident linked to human distraction, the result could be catastrophic, and there are lives at stake. Systems and technologies in health should be preserved like the military. Unthinkable to go into hospitals being able to connect an external devices to the main network operating undisturbed. This is a common scenarios in many Italian structures.

Consider also that recent incidents, including hacking of Sony’s PlayStation Network and the  RSA security breach have demonstrated that even well protected networks are vulnerable to external attacks of ever-increasing sophistication. To give an idea of the phenomenon let analyze official data related to incidents, in the last two years alone, personal medical information of over 7.8 million people have been exposed, an in a striking case have been stolen 1.7 million records from an unlocked van of a records management company.

Although the Health Insurance Portability and Accountability Act, or HIPAA by law, that medicla information must be held in private, but during the ordinary operations this data are managed in clear, that require every precaution to ensure that the information we come across is kept secure.

Same simple rule to follow to ensure minimul security requirements:

• encrypting any files that might contain sensible information
• accessing databases and servers over secure connections (i.e. using VPN)
• extracting and locally storing only strictly anonymized data
• ensuring the physical security of your computer and access to critical departments

Database exposed, patient information at risk of theft. In an extreme simplification we can summarize the types of accidents classified them based on the injured party:

• attacks / incidents to the information systems that expose sensitive information of patients
• attacks on computer, control systems and other medical equipments

Both occurrences are extremely dangerous. The disclosure of sensitive information could jeopardize the lives of an individual and his relationship to society. The knowledge of a disease could be used for different purposes ignoble and might lead to discrimination against individuals.

Damages, incidental and volunteers, to information systems and control systems could pose a serious risk the lives of patients. For example, the failure of the control system of medical gas inside a structure could cause death in patients undergoing surgery.
Similar incidents may be conducted as real military actions to undermine the enemy defense systems and rescue.
We can discuss for hours on this scenarios illustrating potential effects of an accident such as those mentioned, but what is really interesting to our discussion is to consider this sector critical in the strategies of cyber defense. We have not just consider medical structures like critical infrastructure to preserve but we must to exercise control and implement effective security measures. Personnel should be sufficiently prepared and inside the structures are indispensable new figures, prepared to deal with cyber threats. The costs of training will certainly be offset by the limitation of losses in case of accident.

It is news of the day that a Malware in a Georgia hospital’s computer system has forced it to turn away patients, highlighting the problems and vulnerabilities of computerized systems confirming all our worrysomes. The malware infection has occurred to the Gwinnett Medical Center last Wednesday, shorting out the main information system with obvious repercussions on the work of departments of the hospital soon rendered inoperative. Fortunately the ospital was out of control just for one day but it still isn’t in the clear, since the source of the outbreak isn’t known and the malware hasn’t been identified.

The problem was caused by a worm infection, which would have spread rapidly across the internal network and the problem may has been caused by something as simple as a USB drive brought into the facility by an employee.
The case discussed is not the first!

But as hackers continually penetrate computer systems in critical infrastructure like power facilities, water plants and government contractors, hospitals may also be vulnerable points of attack.

The actual situation include hospitals in those structure that are considered critical in each national cyber defence plan, however there is to much to do. Not prepared and vulnerables structures, personnel not trained are a common denominator for the healthcare sector. Hospitals are considered a soft target where a cyber attack can cause a lot of damage easily. The attack can be moved is silent way with devasting consequeces.

The message is clear, let’s hurry before it’s too late, before to mourn human lives, the victims of our negligence.

Pierluigi Paganini