Israeli cyber expert: Healthcare is world's most cyber-targeted industry
Cyber insecurity cost the healthcare industry an estimated $4 billion in 2019
By ILANIT CHERNICK
How do we keep private hospital records safe from being exposed online?One billion medical records, which include X-rays, ultrasounds and CT scans belonging to patients in the United States, were exposed to the public in 2019, TechCrunch reported.According to Elad Luz, head of research at CyberMDX, an Israeli-led company based in the US that is a pioneer in healthcare cyber intelligence, this happened because a certain piece of software is available to the public.“It’s important to be clear that this situation is not about a breach or hack, per se,” he told The Jerusalem Post in an interview on Monday. “This is about hospital’s installing and configuring their data infrastructure incorrectly and insecurely managing their medical technologies.”Luz said someone looking to get their hands on this information does not actually need to hack anything or circumvent any controls.“They can simply query a search engine for Internet-connected enterprise endpoints, like Shodan, using terms like ‘Digital Imaging and Communications in Medicine server’ [DICOM] to pull up the IP details of accessible Picture Archiving and Communication System servers [PACS],” he said. “Once they have that information, they can use one of a few different free-to-download applications to get the information.”After careers spent in Israel’s national security services protecting the public interest, “CyberMDX’s founders had a unique and firsthand view into the profound security gaps created by medical technology IT,” Luz said.“The company was established in 2017 to address this problem – not just in Israel but around the world,” he said. “CyberMDX offers a solution to hospitals and medical centers focused on network endpoint visibility, threat prevention and operational analytics for medical, information technology, operational technology and Internet of Things devices.”What CyberMDX does is combine deep knowledge of medical devices and protocols, “with it’s risk assessment technology and remediation capabilities to create solutions tailored to the needs of healthcare organizations,” Luz said.
CyberMDX also has its own research team that works closely with medical-device manufacturers to discover vulnerabilities “and help to improve cybersecurity across the industry,” he said.Based on findings from Shodan, which is a search engine that lets the user find specific types of computers connected to the Internet using a variety of filters, approximately 30% of the PACS servers accessible over the Internet are located in the United States, Luz said.“The recent Greenbone Networks report on the issue serves as an even graver indictment,” he said. “It found that the US accounts for nearly 14 million out of the total 24 million globally exposed data sets.”Luz said Israel is significantly better in this regard, “showing only four exposed servers on Shodan.“Of those four hosts, it’s not immediately clear how many are even live in production at medical facilities or configured for other purposes,” he said.In 2019, at least 10 hospitals in the US were forced to turn away patients due to a compromised ability to deliver care as a result of cyber attacks, Luz said.He warned that as we enter the 2020’s, healthcare has “separated from the pack and is, by a wide margin, the most cyber-targeted industry.”The healthcare industry “plays host to roughly 70% of all US data breaches,” Luz said. “The more sophisticated the attack, the stronger the apparent preference for targeting healthcare organizations... For example, nearly 80% of ransom-ware attacks target healthcare,” he said, emphasizing that cyber insecurity cost the healthcare industry an estimated $4 billion in 2019.“Hospitals have been using some form of networking for over 40 years – long before other industries and before anything resembling today’s cyber-threat landscape emerged,” Luz said. “As a result, today, healthcare networks are saddled with legacy technologies, techniques and cultures that have not caught up to today’s challenges.”Compromising a hospital’s cybersecurity is a lucrative business, he said, adding: “The ‘bad guys’ have tremendous incentive to target healthcare. For example, when a hospital is hobbled by ransomware, there is often no choice but to pay, as patient care hangs in the balance. Another example, a single record fetch as much as $1,000 on the black market.”Luz said the first and most important step is “taking stock and developing a thorough index of your networked devices... Here, that would mean identifying all connected DICOM and PACS devices.”Using that information, medical centers will want to check the connectivity configurations for those devices and identify which machines are open to the wider Internet, he said.“From there, the process boils down to a few relatively simple steps to curb outside access to the devices,” he said. “[Firstly], if there are any servers that do not require remote access, apply firewall rules to block access to those servers from any external endpoints.”Secondly, Luz said, “Close all operational unnecessary ports, especially ports used for the transfer of medical information, [and] wherever possible, restrict out-of-network communications to those managed and secured through virtual private networks.”