Cyber Vulnerability in Health Care Part I: Is Your Organization At-Risk?

Young woman with long blonde hair and glasses, resting her chin on her hand and smiling slightly, sitting against a plain light background.
by Greta Kviklyte Life Saver, AMC
Co-authored by Kim Murray, RN, M.S.
posted on Jul 13, 2017, at 7:54 PM

CYBERSECURITY, CYBER ATTACK AND CYBER VULNERABILITY. These words can strike fear into the hearts of Americans and people around the globe. In May, the WannaCry ransomware attack held the data of millions of people hostage. Hackers demanded payment for access to critical files and documents, reports ABC News, and the attack quickly spread around the globe through fishing software. But, there is a much darker side to cyber attacks—a side with the potential to cost lives.

Cyber attacks are not new, but the concept of a cyber attack on health care facilities appears that way.

By some estimates, cyber attacks on health care facilities, especially hospitals, are increasing at alarming rates, with 43 percent of all attacks in the UK impacting health facilities. However, the Cybersecurity Act of 2015 is on the path to bring health care industry security approaches into alignment with modern standards of cybersecurity.

First Aid USB driveThe primary impact of the Act established the Health Care Industry Cybersecurity Task Force (HCICTF), and the group’s initial report was just completed and made public in June. Unfortunately, the report details a grave state of health care cybersecurity, highlighted more recently by the Peyta ransomware attack in late‐June.

Although the Peyta attack was not as broad as WannaCry, it did appear to impact health care facilities more, reports USA Today. The hack brought the pharmaceutical giant, Merck, to its knees, potentially delaying access to medications and patient‐assistance programs (PAPs) for millions of people. But, what exactly does a cyber attack on health care look like?

Does it simply mean facilities lose access to patient records, or could it be more sinister?

Unfortunately, the answer can be both, and the latter was just proven to be deadly during a mock cyber attack.

As a health care organization, you are at risk, and the statistics are not in your favor. Health care organizations appear to be a new, top target for cyber attacks, which may be due in part to past payment of ransoms demanded, explains Bill Siwicki of Healthcare IT News. Think about everything in your organization that could be impacted, ranging from computers to patient monitors. You are at risk, but you have the opportunity to do something about it. This two‐part, in‐depth review will give you the information you need to know to understand cyber vulnerability in health care and how to protect your organization.

What Did the HCICTF’s Report Find?

The Task Force’s June Report found significant cyber vulnerabilities for identify theft, ransomware, targeted nation‐state hacks, supply chain disruptions, theft of research and development, equipment damage and more in today’s health care systems. Yet, most health facilities lack advanced security talent and systems, meaning the systems used to encrypt patient and facility data typically have minimal security standards. Meanwhile, legacy equipment and systems may not even possess multi‐stage authentication, if any login credentials are needed at all. The problem only gets worse from here and includes some of the following findings:

  • Legacy systems in health care can have up to 1,400 cyber vulnerabilities.
  • Discrepancies between state, federal and local governments make implementing appropriate cybersecurity measures difficult.
  • Existing systems make it difficult to detect attacks until after they have occurred.
  • Most health facilities assume their cyber vulnerability is low.
  • Attacked systems of any type, even computers not used by direct‐care professionals, like nurses and doctors, can have a negative impact on patient care.

The Report also tackles the broad definition of health care. Specifically, the Report’s findings are part of a health care ecosystem, comprised of laboratories, blood and pharmaceutical companies, direct patient care systems (like emergency medical services and consumer devices), mass fatality or emergency response systems, health plans and payers (e.g. insurance companies and Medicaid or Medicare), public health centers, federal response and program offices, health information technology (IT) systems, vendors and users, and medical materials—the so‐called health care supply chain.

Any of these entities within the health care ecosystem can suffer a cyber attack, and the digital age of medicine makes an attack even more likely. While legacy systems offered internal management of data, located behind the company’s firewall, the need to share data across organizations has meant making data retrievable from third parties, including patient portals and access to protected health information (PHI). This is where the cyber vulnerabilities become known.

Where Are the Vulnerabilities in Health Care?

Cyber vulnerabilities can exist almost anywhere in modern health care. Even legacy systems, when using newer versions of Microsoft Windows, can be susceptible to a cyber attack, as seen with the WannaCry attack. In fact, WannaCry was the result of a security patch error by Microsoft.

Any Device or System Can Be Impacted

Any device or system that can connect across multiple access points may possess vulnerabilities. Unfortunately, newer technologies, like patient activity trackers, pacemakers, ventilators and patient‐monitoring systems are at risk too. Some of these systems, like those in a Medical Intensive Care Unit (MICU), could be responsible for life‐sustaining measures. If a ventilator is shut down due to a cyber attack, it could result in someone’s death.

A Worst-Case Scenario of Affected Systems

Take a look at this scenario, and see if you can identify what was impacted:
Jane Doe suffered a myocardial infarction yesterday. She underwent a cardiac catheterization, and due to complications, she has been on a ventilator and external pacemaker since the procedure. Her nurse completed her hourly assessment at 0200, 45‐minutes ago. The rhythm of the pacemaker is normal sinus rhythm, and there is a continuing chest rise and fall. While working with another patient, her nurse returns to check on her. Upon a quick glance into Jane’s darkened room, the nurse records her vital signs and moves on. Two‐hours later, the nurse goes into the room to perform another assessment.

Unfortunately, the nurse is unable to find a pulse, and the signs of breathing are absent. Jane’s lips have already turned cyanotic, and the nurse activates a Code Blue. After 45‐minutes of running the code, Jane is declared deceased by the physician. Upon further review, the nurse had rechecked Jane’s vital signs only five‐minutes previously, but the autopsy report finds hypoxia as her cause of death. No other plausible causes of death could be found.

How Is the Example Possible?

The only answer to this scenario is that she was not getting any oxygen, so it implies either a problem with the ventilator or the pacemaker. But, the EKG report and the logged vital signs indicate Jane was continuing to breathe and maintain a pulse up until the nurse recognized the issue. Upon further review, the problem was not the ventilator, but the system itself.

A cyber attack impacted the health care facility, causing the system to loop the vital sign readings continuously, so Jane appeared to be doing well, recovering from her procedure. Unfortunately, her heart stopped, and she was unable to get oxygen to her brain and body, regardless of the ventilator’s performance.

This example is similar to the mock cyber attack conducted as part of the Task Force’s review of cyber attacks during a Code Blue. The health professionals were unable to identify a problem or reason for their patient’s distressed state until switching to a stand-alone EKG. This showed ventricular fibrillation (V-Fib), but no one could identify the event as a mock cyber attack until they were told what it was.

While this scenario is dark, the actual mock cyber attacks showcased incidents where the responding personnel were able to save the “life” of the mock victim—the mannequin. Moreover, there is no evidence that a medical device has been hacked and resulted in someone’s death as of today. But, Dr. Marie Moe, a security researcher from Norway and her team have successfully hacked both medication infusion pumps and pacemakers, reports ABC News, in the goal of finding better ways to secure these devices.

How to Recognize the Early Signs of a Cyber Attack in Your Facility

Unfortunately, identifying a cyber attack in health care devices relies on being able to recognize when something doesn’t seem right. In addition, health care professionals in your organization need to be able to respond with traditional assessment tools, including manual assessments such as taking the blood pressure or pulse manually.

While taking vitals manually may seem obvious, some health care professionals may have grown dependent on automation and machinery. Keeping their skills fresh will go a long way in recognizing a cyber attack on a medical device or system. There are a few other indicators of a possible cyber attack you need to understand.

1. You Receive a Message Indicating a Ransomware Attack

This is the most obvious of cyber attack signs. You may receive a message, akin to the demand for ransom in the WannaCry attack. The message may or may not explain the issue, and it may or may not contain a demand to release the system. However, this pop-up is not linked to your system’s anti-virus software.

2. Systems or Devices Are Failing With No Explanation

Systems and devices that begin to experience failures can allude to a possible cyber attack. However, it is impractical to assume any system failure is a cyber attack. The general rule of thumb is to take notice when the system or device fails repeatedly with little to no explanation.

3. Legacy Systems Ask for Unusual Information

Legacy systems are at greatest risk for cyber attacks in health care. A key indicator of an attack on such a system is the fishing for unusual information, like verifying employee portfolios or access credentials. If any such activity occurs, check with your in-house IT department to verify its authenticity.

4. Email Addresses From Coworkers Are Slightly Askew

Another indicator of phishing lies in emails and communications between users of the system. Always check the email addresses of incoming messages before opening them. If the email address appears to be incorrect—like thomas@healthcareorganisation.edu when the correct address is thomas@healthcareorganisation.edu—it may indicate a possible phishing attempt.

Notice the use of “s” in place of “z” within the domain name, healthcareorganization.edu.

5. Secure Accounts Are Locked When You Try to Log In

Unless you have recently changed passwords, you should not experience any issues when logging into your systems. If your accounts are locked or do not respond to the correct password, it may indicate a cyber attack.

6. Malware Pop-Ups Begin to Occur With Increased Frequency

Malware pop-ups controlled by your system’s anti-virus software may begin to occur, and their frequency will increase. Unfortunately, some of these pop-ups can act as the means of infection, so avoid clicking on anything that appears. In addition, you should immediately close any open systems on your computer or device and, if necessary, reboot to clear the device’s RAM.

7. A Sudden Change in Speed and Performance Occurs

Viruses take up processing power and slow down devices. Unexplained changes in speed or performance, like prolonged webpage loading times, may allude to an infection. Try restarting the device first—if the problem persists, an infection is the likely culprit.

8. New Toolbars or Features Appear

One common indicator of a malware infection or cyber attack is the appearance of systems, programs, or toolbars that were not installed by you. If these appear, do not click on any of their components, as doing so may activate the malware. Instead, notify your organization’s cybersecurity department.

What About Preparing for and Responding to Cyber Vulnerabilities and Attacks in Health Care?

It can seem like everyone using the internet is out to get your organization, but that is simply untrue. There are good hackers in the world, like Dr. Marie Moe, who work to improve cybersecurity for at-risk devices, companies, and systems. However, you still need to know what to do if an attack occurs—a topic discussed in further detail in Part II of this series.

About Greta Kviklyte Life Saver, AMC

Greta is a dedicated life saver and a distinguished expert in the field of medical content creation and editing. Her impressive array of certifications in ACLS, CPR, PALS, and BLS underscores her commitment to excellence in the medical field. With over four years of invaluable experience in medical education, Greta plays an indispensable role within the Advanced Medical Certification team, shaping the way healthcare professionals around the world acquire and apply vital knowledge.

Greta's profound expertise serves as the driving force behind the development and distribution of medical content that has significantly enhanced the capabilities of countless healthcare practitioners across the globe.

In addition to her medical qualifications, Greta holds a prestigious academic distinction in Marketing and Global Business from Vilnius University. Her academic journey has been enriched by immersive studies in Slovakia and Portugal during her time as an exchange student, providing her with a global perspective that complements her medical expertise.

Beyond her professional commitments, Greta possesses a genuine passion for global exploration, with a particular focus on immersing herself in diverse cultures and appreciating the intricacies of the natural world. While residing in Vilnius, Lithuania, she continues to make substantial contributions to the field of medical education, leaving an indelible mark on the sector.

Reach out to Greta at greta.kviklyte@advmedcert.com.

Keep Reading

May 20, 2024

Customer Feedback: Driving Certification Success

Read More
Aug 26, 2022

Online Bloodborne Pathogens Training for Everyone

Read More

We offer Online ACLS, PALS and BLS Certification and Renewal

Learn More About ACLS Certification Learn More About PALS Certification Learn More About BLS Certification Accreditation & CME Details