Chapter 6

WAPs in Medical Environments

Abstract

Estimates about the size of the global wireless electronic health record (EHR) market underscore the importance of wireless access points in medical practice: about $11.2 billion in 2013 and projected to at least double by 2018. Several forces combine to make wireless technology especially prevalent in medical facilities: cost, inconvenience, and environmental burden (e.g., construction dust, noise, repair work) of implementing or upgrading wired networks; the desire for on-demand, real-time patient information (e.g., EHRs or patient readings); and the use of sensors, medical devices, and building automation solutions. Medical device manufacturers are not compelled at this time to comply with the guidelines for enhancing device security that the FDA developed at the behest of the Government Accountability Office. Meanwhile medical device availability and integrity are essential for maintaining patient-critical, clinician-critical, facility-critical, and organization-critical infrastructure and processes. Mandated security objective priorities (i.e., confidentiality first) are not completely aligned with patient well-being.

Keywords

Electronic health record; monitor; network segregation; active medical device; passive medical device; medjacking; pivot attack

Several forces combine to make wireless technology especially prevalent in medical facilities: cost of implementing or upgrading wired networks; inconvenience and environmental burden (construction dust, noise, repair work) of installing cable; tight patient exam scheduling and the desire for on-demand, real-time patient information (e.g., electronic health records or EHRs); and the use of sensors, medical devices, and building automation solutions. The importance of WAPs in medical practice is underscored by estimates about the size of the global wireless EHR market: about $11.2 billion in 2013 and projected to at least double that size in 2018, according to BCC Research. This market research group defines wireless medical market segments as products that include wireless patient monitoring, EHR-compatible devices, wireless EHR software, EHR mobile technologies, application markets, pediatric growth trackers, capnography,1 real-time location devices, video applications, and patient/guest Internet access, in addition to end-user (consumer) markets.² Consumer products include such devices as fitness trackers and sleep monitors, as were discussed in Chapter 4, Hacks Against Individuals. This chapter looks at wireless devices used as integral components of formally designated medical environments; their role in promoting patient, clinician, organization, and facility well-being; their attack surface characteristics and attractiveness to hackers; and the challenge of balancing the security objectives of CIA.

The medical industry is where things get critical, cynical, and even more complex than in consumer, manufacturing, and commercial environments. There really can be blood on the floor when security goes awry: it’s more than inconvenience and compromised confidentiality. Parallels can be drawn between physical/biological compromise in medical care facilities and digital/logical compromise. The spread of infection between biological systems is similar to the spread of infection between digital systems.

Hospitals are notorious breeding grounds for biological infection: “on any given day, approximately one in 25 US patients has at least one infection contracted during the course of their hospital care.”³ The death rate from such infections in 2011 was more than 10%. Health care-associated infections include those contracted through invasive procedures (central-line associated bloodstream infections or CLABSI, catheter-associated urinary tract infection or CAUTI, surgical site infection or SSI, and ventilator-associated pneumonia or VAP). Presurgery protocols call for taking antibiotics internally a few days prior to surgery, yet ambient bacteria can still cause problems (studies indicate that cleaning tools like mops and dust cloths can spread contamination) in spite of using tons of disinfectant products.⁴ Of course, using the products is controversial because of the increasingly resistant bacterial strains that are implicated in life-threatening infections. As with digital infections, we are in a perpetual game of catch-up. It is not surprising that infection transmission thrives when sick people with already compromised immune systems and possibly open wounds are concentrated in one location. Likewise, it is not surprising that malware transmission thrives in technology environments in which disparate devices with already weak (or nonexistent) built-in security protection, lightweight access controls, and ineffective credential management are sharing a wireless network.

The precarious physical health of those in hospitals and other medical care facilities is analogous to what happens when computing technology is introduced without a complete understanding of the fundamental requirements for protecting data health (i.e., its CIA). The aggressive push for EHRs did not effectively prescribe how to prepare data for automated sharing. Data collection points are legion. Sensors abound, as do mobile devices, to receive and transmit data for storing, sharing, and further analysis. There is an inherent tension between the convenience of unimpeded wireless access to patient records, diagnostic information, and treatment results, and the extra steps required to ensure data and communication security (as represented by the CIA triad).

Medical staff have become accustomed to relying on quick retrieval of data to determine proper diagnosis and treatment for patients. Encrypting that data slows the process by adding overhead to processing time—but, with very high-speed networks (in the gigabit per second range), delays are measured in fractions of a second. Staff may choose to ignore encryption options, which require an extra authentication step via password or token, for sharing needed information like X-ray images and just opt for using unprotected messaging channels.⁵

Implementing multiple firewalls to separate data stores likewise slows the retrieval process as does segregating various device traffic on different network segments, adding complexity to traffic management and change control processes, and a risk to QoS requirements. According to some practitioners, such complexity is not readily scaleable.⁶

The health information technology (HIT) environment is one in which latency—lag time in communication signals between medical resources (human, machine, data)—can lead to injury, suboptimal outcomes, and even death. From a technical perspective, however, such latency concerns are only valid when there is a single network for all devices. Segregation of networks allows different latency and thus different security support. It is the machine-to-machine signals for which quality of service (QoS) must be maintained at the highest levels, for example, when performing robotic or remote surgery. Human-to-human or human-to-machine communications are more tolerant. The priority afforded availability as a security objective competes with integrity as the primary objective. Message integrity, confirmation that content and source are authentic and authoritative, is critical. Still, public policy concerns about—and legal consequences associated with—confidentiality of data have influenced security architecture and budgeting decisions. Availability and integrity trail confidentiality in terms of senior management decisions about how to prioritize security objectives and where to make security—and technology—investments.

This is really an area for further analysis to distinguish between concerns based on convenience factors versus system responsiveness (i.e., speed at which system responds to requests), impacts to efficiency (e.g., number of patients supported per resource or throughput), and effectiveness (e.g., patient mortality rate, patient readmission rate, or output/outcomes). If system responsiveness were critical to hospital effectiveness, one would expect to see noticeable differences when a hospital moves from primary systems to backup systems (e.g., paper operations). These differences would likely be reported to the government and then (intentionally or unintentionally) made available to the press. Analysis of normal systems and backup systems (due to hacks, power failures) for efficiency and effectiveness is an area for further analysis.

Health care environments add life-and-death concerns on top of the typical information concerns about CIA. Health Information Portability and Accountability Act of 1996 (HIPAA) is the legislation that imposes penalties on medical practitioners, facilities, and business associates when patient PII is compromised. Less visible among the high-profile incidents of health record data breaches are violations of data integrity and system availability. The successful ransomware attack on Hollywood Presbyterian Hospital in early 2016, in which a variety of hospital assets—not just patient records—were held hostage, provided irrefutable evidence that wireless vulnerabilities create opportunities for hackers.

Medical EHRs

Confidentiality

EHRs provide a rich store of PII including more than 18 different identifiers (e.g., name, address, SSN, date of birth), in addition to payment information, medical conditions, and treatments.7 This is more PII and private information than one’s bank collects. And all that information is valued by hackers to ensure income flow, whether by selling it on the black market (health insurance credentials can be worth 20 times more than a credit card)⁸ or by committing billing fraud. Such health care fraud “accounts for 3%–10% of annual U.S. health expenditures” or at least $74 billion a year.⁹ The information is also used for filing fraudulent income tax refund claims.

HIPAA addresses data integrity in §164.304—Definitions:

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.

HIPAA was one of several pieces of legislation passed in the 1990s¹⁰ that addressed citizen and politician concerns about ensuring the “right to be left alone.”¹¹ The first civil monetary penalty for noncompliance by a covered entity (Cigna Health, in this case) was not imposed until 2011, however. This was after passage of the Health Information Technology and Economics Clinical Health (HITECH) Act, which defined higher fines for HIPAA violations.¹² Prior to this, Providence Health System was fined $100,000 for casual treatment of protected health information belonging to more than 386,000 patients)¹³ and CVS was fined $2.25 million for improperly disposing of prescription labels and other identifying information in unsecured trash bins.¹⁴

Since 2005, the Privacy Clearinghouse has received more than 551 reports of breaches in the medical sector associated with portable devices, hacking or malware, and unknown vectors.¹⁵ The amount of health PII accessed by hackers shows little sign of abating. One research firm predicts that “one out of three individuals will have their medical records compromised by cyberattacks in 2016.”¹⁶

Anthem Attack

Hacker Objective: Primary objective was to obtain information about key personnel in aerospace, energy, etc. as part of a suspected state-sponsored APT attack; the secondary objective was to obtain a rich information store for mischief

Hacker Technique: Multilayer, persistent, multiple techniques (watering hole,17 credential compromise, zero-day exploits, Sakurel malware enabling backdoor)¹⁸

Victim Impact: Compromise of 80 million records containing PII (carries fines to insurance organization of about $200 per record,¹⁹ although Anthem carried more than $100 million in data breach insurance); compromise of victim organization’s family of businesses for another 22.1 million records compromised;²⁰ predicted increase in individual fraud cases.

As of May 2016, details describing the steps taken in the Anthem attack were not available because of the ongoing investigation. Publicly available information indicates that the credentials of at least five employees with privileged IT access were stolen. Common techniques include phishing email messages (e.g., Sony 2015 attack) and malware propagation that allows backdoor access into systems. These techniques are often associated with mobile computing and storage devices, in addition to intercepted signals from WAPs. Mitigating measures that were not in place at Anthem include record encryption (not required by HIPAA for dedicated servers), robust protection of access credentials, least privilege policy (firmly limiting privileged access), effective employee awareness training, and intrusion and anomaly detection.²¹ Organizational inattention to security needs was also evident. Anthem was cited in 2013 by the US Department of Health and Human Services (HHS) and fined $1.7 million for not performing a complete risk analysis when a new, online customer portal was launched.²²

From the attacker side, the apparent connection between different hacker groups—based on the timing and techniques used for attacks that include Anthem as well as the US Office of Personnel Management (OPM)—is disturbing. The malware used in both, Sakula, is a RAT with many different strains. The Deep Panda and Black Ivy groups are associated with this malware.²³

EHRs and Medical Devices

Integrity

Although valued for their potential to facilitate information sharing horizontally across multiple care providers (internal and external to a specific medical facility) and longitudinally over years, EHRs are susceptible to easy alteration if safeguards are not implemented. It is essential that access control principles be applied consistently to ensure that information is reported by appropriate personnel (individually identifiable) and that information updates be time-sampled to support nonrepudiation and a kind of information “chain of custody.” Likewise, change control principles must be adhered to so that the sequence of interventions and events can be understood easily and patient care can be monitored and adjusted as needed. Effective implementation of access and change/configuration control mechanisms means that all health information sources within the facility’s ecosystem must be validated. Many of these information sources are wireless.

Clinician convenience and intensive scheduling demands can combine to create an environment in which data integrity cannot be ensured and receives only intermittent scrutiny. Record integrity is compromised, for example, when clinician notes are cloned (copied-and-pasted) from one patient to another or from one patient screening report to another, when dictation errors are accepted without validation, or when template documentation is inadequate for describing the patient condition. In addition to nonmalicious errors, inadequate data integrity can promote health care fraud and abuse.24

Wired connectivity is bolstered and augmented—even sometimes replaced—in medical facilities by the use of WAPs. This results in significant savings in plant upgrades, network infrastructure design flexibility, and clinician and patient information mobility. WAPs enable easy communication among facility guests, patients, and clinicians. WAPs also introduce complexity and uncertainty when wireless devices are allowed access to network connections without preregistration.

Given organizational budgetary constraints and the primary focus on building medical staff capacity, rather than IT staff, segmenting network traffic can reduce the risk of message and signal integrity, in a MITM or identity spoofing attack. By isolating guest and other occasional (i.e., not preregistered) devices to their own, separate network, opportunity for compromise of the facility’s protected assets is reduced. Different network segments need firewall separation with activity traceable to individual devices and incidents. The US DHS recommends whitelisting processes, machines, individuals, and data packages that are permissible. Devices that receive, transmit, and/or store patient information should connect through a hardened network connection. Robust access control policies that are well enforced help ensure that machines, individuals, or processes are not allowed privileged access without explicit challenge/response vetting.

The consequences of integrity compromise of wireless medical devices vary according to the specific use case scenario, as indicated in the following examples:

 Patient-focused active medical devices like insulin pumps can be instructed to deny, modify, or deliver treatment. Treatment may include substance administration (e.g., medication, nutrition, oxygen), mechanical intervention (e.g., automatic defibrillation, life support). Loss of integrity in device programming can result in medication delivery errors (too much, too little, wrong medication).

 Patient-focused passive medical devices vary from orthopedic implants to monitoring instruments (e.g., blood pressure and other vital statistics tracking).

 Clinician-focused active medical devices can be used to perform remote surgery or give the clinician real-time information about the patient’s condition. Lack of integrity in the messages or work orders sent can result in patient harm.

 Process-focused active medical devices can be instructed to scan medication barcodes, track patient drug allergies, adjust inventory management systems, control medication and organic material safety (e.g., temperature control to protect and preserve blood samples and banks, tissue samples, and organs for transplant).25

San Diego–based Independent Security Evaluators performed white hat exercises to test hypothetical attacks against hospital devices, processes, and EHRs. Carried out under conditions that mimicked actual medical facility operational environments, the exercises highlighted common susceptibilities that allowed the test threat agent to:

 Manipulate a passive medical device from outside the network by performing an authentication bypass attack and causing the patient monitor to transmit false information and act erratically;

 Control medicine administration and other workflow processes from a hospital lobby kiosk (that was not on a segregated network) by taking over barcode scanning equipment and causing patient and treatment mismatch;

 Compromise the EHR system to issue improper treatment work orders by launching a cross-site scripting attack that allowed modification of administrator settings, authorized user changes, and then manipulation of patient records; and

 Identify and compromise medical dispensary devices and inventory control systems.26

Medjacking: Insulin Pump Attack

Hacker Objective: Research potential for exploitation of wireless medical devices (both active and passive)

Hacker Technique: Research public information resources and reverse engineer devices to achieve C&C over them

Victim Impact: Curiosity satisfied, Black Hat Conference paper accepted, and future research directions identified

Following in the fine tradition of researchers acting as guinea pigs, one researcher hacked his own insulin pump and glucose monitor, using his knowledge of wireless technologies and following classic attack sequences (reconnaissance and enumeration, intrusion, reconfiguration) to evaluate the difficulty of “capturing” the devices. His methodology is detailed in the paper he delivered at the 2011 Black Hat Conference.27 Key steps are outlined below. They offer insight into where information about other types of wireless devices can be found and how that information can be put to use.

1. Review user manual for continuous glucose monitor to obtain device signaling frequency, modulation method, packet length, transmission frequency, FCC ID.

2. Download additional performance specs from the FCC website.

3. Research patient documents for the device under the manufacturer’s name.

4. Obtain a RF module that operates within same bands as the target devices (Arduino module, in this case).

5. Configure RF module to manually decode transmissions and identify patterns of target devices.

6. Set the logging on the target insulin pump to HIGH to gather sufficient data to reverse engineer the pump’s message formats and command codes.

The researcher exercised good judgment and did not complete the attack. His experiment simply assured him that it was doable. It also verified that such devices are vulnerable to replay attacks (given the absence of time stamping or other protection), transmission spoofing, manipulation of sensor data, and even changing the insulin pump configuration settings. As Radcliffe points out in his discussion of future trends, removing human oversight completely from the glucose monitoring and insulin delivery process by automating it end-to-end could leave the devices—and the user—vulnerable to compromise.

Fearing his potential vulnerability to such an attack, former Vice President Cheney asked that his pacemaker implant’s wireless capabilities be disabled to thwart hacking efforts. The US Government Accountability Office (GAO) strongly urged the FDA in 2012 to examine mobile medical device susceptibility to malware, unauthorized access, and DoS.28 The FDA issued its guidance document—“Medical Devices Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices”—on February 9, 2015, but stated that it would not enforce compliance due to the perceived low risk of an actual exploit being performed.²⁹

Hollywood Hospital Hack Attack

Hacker Objective: Financial gain through ransomware infection, denial of access to hospital computing resources, and disruption of business processes

Hacker Technique: Suspected spear phishing combined with ransomware kit use

Victim Impact: Hospital payment of $17,000 ransom for key to release encrypted computing assets, 2 weeks of reduced productivity (due to manual processes used as a workaround), patient inconvenience (due to unavailability of medical tests that required a functioning network)30

Detailed information about the actual attack techniques used is not publicly available as of May 2016 because of ongoing investigations by the FBI and LAPD. FBI Cyber Division Assistant Director James Trainor is quoted as saying, however, that ransomware delivery is becoming more sophisticated and less reliant on an employee’s clicking a link. Rather, hackers are seeding legitimate websites with the malware to exploit unpatched vulnerabilities on the end-user side.³¹ Since wireless devices are generally subjected to less patching scrutiny, they are more likely to be the weak link in security chains.

In this hack, attackers correctly assessed ability and willingness to pay on the part of the victim hospital. Although no PII or personal health information (PHI) was compromised, the attackers encrypted hospital information assets and insisted on payment of a $17,000 ransom in anonymous bitcoin “script” in exchange for the key to decipher EHR information. The hospital senior management elected to pay the ransom before contacting authorities, but then was also very forthcoming about sharing information about the attack to others. From the attackers’ perspective, demanding ransom is less risky and more profitable than is selling stolen identities and other information on the black market or engaging in fraudulent activities. It was a quick hit attack with a good profit, especially given the going price tag for ransomware kits (in the $3000 range) that require minimal expertise and feature multiple options for hackers.

Takeaways

 Keep software and security patches up to date.

 Change manufacturer default settings and impose robust password policy.

 Segregate patient-critical, clinician-critical, and procedure-critical communication channels behind firewalls. Do not allow hospital visitor, guest, or vendor communications on the same network segment. Deploy virtual LANs for different devices.

 Enforce least privilege, separation of duty, and role-based access control policies.

 Restrict access to WAPs to whitelisted users.

 Implement white and black lists of executable files.32

 Create a buffer zone so that data generated or captured by wireless devices can be abstracted for transmission to clinicians in one dedicated environment, but device access is restricted to another dedicated environment. 33 Device control communications should not travel over the same network segment as device data communications.

 Educate staff regularly about the responsible use of technology and communications.

 Medical facilities can mitigate exposure to disrupted work processes, reduced productivity, and information asset kidnapper demands by becoming more resilient. Deploy a well-designed business continuity plan that includes data backup and recovery to an offsite or out-of-band location.

 Evaluate the decision about whether to pay ransom demand on a case-by-case basis. The FBI has given ambivalent guidance.

 Look to the example of Ottawa Hospital and its preparation to survive such a denial of access attack and its ability to remove ransomware that was installed.

EHRs, Medical Devices, and ICS

Availability

Less emphasis has been placed on the automated systems that control power, water, and equipment than on systems that contain patient information or medical devices. These automated systems, both associated with general building maintenance and medical-specific equipment, also have an impact on patient health. They are also significant to facility and organizational health. As was discussed in Chapter 5, WAPs in Commercial and Industrial Contexts, these systems were not initially designed to be interconnected via IP networks. Security mechanisms have not been baked in from the start. Hardening these systems to make them more impervious to inappropriate or unauthorized access thus has to be mindful, with attention paid to all people, processes, and technologies involved. ICS in medical facilities are used in patient-critical, clinician-critical, organization-critical, and facility-critical applications.

Medical environments have a tighter tolerance for performance than many industrial environments that use ICS. Whereas the equipment in the majority of industrial/commercial environments must be tolerant to variations in temperature, air quality, vibration (with the exception of precise manufacturing facilities like clean rooms for chip processors), the surgical, imaging, and diagnostic equipment in medical facilities are generally intolerant to such variations. Environmental conditions outside recommended parameters may compromise equipment reliability and even availability.

Consistent power is essential to support active medical devices (AMDs, which do not have their own internal power supply), surgical and other treatment/diagnostic equipment (e.g., equipment use for anesthesia, electrocautery, ultrasound, X-ray, MRI), EHR use, communications network infrastructure, and building environmental controls. All are critical to successful patient and clinician outcomes. Building environmental controls cover lighting, HVAC, security, and air handling. In a hospital environment, it is essential that air is exchanged regularly to reduce contamination and infection spread.³⁴ ASHRAE 170 (2008) and CDC guidelines (2005) recommend an air change per hour (ACH) rate of at least 12 ACH. By contrast, a home air conditioner typically runs at 0.5–2 ACH—and a clean room environment recommended ACH can vary between 10 and more than 600 ACH. The ISO outlines three environmental “states” for measuring ACH: as-built (finished but empty space), at-rest (when instruments and equipment are introduced), and operational.³⁵

As with ICS discussed in Chapter 5, WAPs in Commercial and Industrial Contexts, many medical devices require 24 × 7 availability. This can complicate upgrade and testing, especially because common medical industry practice is to outsource support for, and management of, devices to the manufacturers’ own external technicians. Hospital IT staff do not tend to be device specialists with the necessary training to configure devices. In addition to challenges with respect to the “always on” nature of these devices, hospital staff cannot risk modifying FDA-approved devices, even to implement security controls.³⁶

Although the FDA is not enforcing compliance with guidelines for medical device security, some researchers and analysts question the wisdom of that decision. One white hat team examined the compromise potential—and condition—of devices like X-ray equipment, blood gas analyzers (BGAs), and picture archive and communications systems (PACS) in an actual hospital setting. Used as unsecured WAPs inside the hospital’s trusted environment, the infected devices opened up backdoors to systems from which hackers could pivot and move laterally through hospital networks. The hospital name was anonymized in the study, but one of the attacks looked at is summarized below.

PACS Pivot Attack

Hacker Objective: Extrude PHI; deliver malicious payload (Zeus and Citadel) to achieve C&C over networked devices

Hacker Technique: Hospital insider surfed a malicious website from which redirection was to another malicious link; java exploit loaded into user’s browser; attacker remotely commanded a malware injection to open backdoor into network; lateral movement through network to PACS; pivot through unprotected PACS to other network assets; encrypted extrusion of PHI through TCP port 443 (used for secure socket layer or SSL)

Victim Impact: Extrusion of confidential records to a location in China; infection of a key nurse’s workstation compromise of the PACS, which is a critical resource for patient diagnosis, clinician use both on-site and in off-site offices, and organizational reporting and recordkeeping; persistent movement through the network and attempted connection to an external C&C point

In another hospital setting, this white hat group found Zeus and Citadel malware being used to capture network passwords through compromised BGAs, which enabled backdoors and lateral movement. Infection of an IT workstation was also enabled due to the infection of one of the hospital IT department’s workstations. An “upgraded,” masked version of the net.sah.worm.win32.kino.kf [sic]37 worm had also propagated itself, but was not identified by the hospital’s installed cyber defense tools.³⁸

The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets. It is the ideal environment upon which to launch persistent attacks with the end goal of accessing high value data. This exposure is not easily remediated, even when the presence of malware is identified conclusively.³⁹

Hospitals are challenging environments with respect to infections, both biological and digital. To date, organizational security investments tend to be focused on maintaining EHR confidentiality: data breaches receive undesirable publicity and undermine organizational reputation in comparison to other competing medical organizations.

Failure to comply with HIPAA requirements about protecting patient records from inappropriate access results in punitive fines that destabilize financial capacity. Even when there is no data breach, as in some ransomware incidents, EHR availability is denied and staff productivity is reduced when manual workarounds are required. Patients also suffer inconvenience when they have to visit more remote facilities for required tests or procedures.

Takeaways

 Consider patient well-being when prioritizing security investments.

 Improved data governance, patient identification conventions, and protected record management (perhaps through encryption) can serve the security objective of confidentiality.

 Acknowledge the susceptibility of medical devices to compromise and implement mechanisms to ensure their integrity and availability. Differentiate between organization-critical applications whose failure can jeopardize the well-being of the entire organization; building-critical applications whose failure can jeopardize automated environmental, surveillance, water, power, and access mechanisms; and clinician- and patient-critical applications whose failure can jeopardize patient health and survival.

 Evaluate and compensate for the risks associated with the entry of access credentials in the presence of patients, guests, or other nonstaff members. The security of mobile systems and physician and nurse workstations may be especially at risk.

 Enforce written policies to prohibit use of certain insecure protocols and, where practical, include a whitelist of protocols that are permitted.

 Implement network segmentation by function and user. Monitoring devices should be segregated from operating control devices, and both should be segregated from general purpose computing devices. Public access should be segregated from hospital access.

 Use different (i.e., unique and not shared between staff members) WPA2 passwords to implement some minimal encryption of traffic on each network segment.

 Perform regular audits of security design and compliance, including configuration validation. Use external parties for audits as appropriate.40

 Become familiar with the National Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC) to receive and exchange information about recently discovered or even ongoing attacks.41

Conclusion

The volume of patient and sensor information transmitted, the plethora of interconnected wireless devices, and the limited internal staff resources for validating EHRs and managing devices increase the likelihood that a compromise at the WAP level will proceed undetected. Device manufacturers are not, however, compelled by the FDA to comply with the guidelines for enhancing device security that the FDA developed at the behest of the GAO. Information confidentiality still leads regulatory concerns about security objectives. Failing to prevent compromise of patient information assets will result in significant financial penalties. Meanwhile, lack of integrity in medical device signaling and function can cause serious harm to patients themselves. Likewise, medical device availability is essential for maintaining patient-critical, clinician-critical, facility-critical, and organization-critical infrastructure and processes. Legislated security objective priorities are not completely aligned with patient well-being.

Endnotes

---

¹Capnography is used to monitor CO₂ under conditions requiring anesthesia or intensive care. Definition from Wikipedia. Retrieved from https://en.wikipedia.org/wiki/Capnography.

²BCC Research (January 2014), “Wireless Electronic Health Records: Technologies and Global Markets,” BCC Research. Retrieved from http://www.bccresearch.com/market-research/healthcare/wireless-electronic-health-records-hlc147a.html.

³CDC (March 2016), “National and State Healthcare-Associated Infections Progress Report,” Center for Disease Control, p. 6. Retrieved from http://www.cdc.gov/hai/pdfs/progress-report/exec-summary-haipr.pdf.

⁴Some hospitals have sought to reduce the amount of disinfectant used by watering down products. Romania’s Hexi Pharma has done this for years. This practice is associated with thousands of deaths. Source: VICE Romania (10 May 2016), “The Government Cover-Up Behind Romania's Filthy Hospitals,” Vice Media LLC. Retrieved from http://www.vice.com/en_ca/read/romania-hospitals-infection-health-minister-resignation-876.

⁵Patchen Barss (3 March 2016), “#RSAC: Security of Networked Medical Devices must Accommodate Real-World Medical Practice,” InfoSecurity. Retrieved from http://www.infosecurity-magazine.com/news/rsac-security-medical-devices/.

⁶Bob Zemke and Ali Youssef (26 November 2013), “Commentary: Is Your Network Ready? New Challenges Ahead for Hospitals in Managing Wireless Medical Devices,” Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20131126/NEWS/311269956.

⁷Institute for Critical Infrastructure Technology (January 2016), “ICIT Brief: Hacking Healthcare IT,” ICIT. p. 6. Retrieved from http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-20161.pdf.

⁸TrapX Labs (7 May 2015), “Anatomy of an Attack,” TrapX Security Inc. Retrieved from http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_AnatomyOfAttack-MEDJACK.pdf?aliId=1116933.

⁹Lucas Mearian (8 December 2015), “Virtual Care to Become the Norm,” Computerworld. Retrieved from http://www.computerworld.com/article/3013013/healthcare-it/cyberattacks-will-compromise-1-in-3-healthcare-records-next-year.html.

¹⁰Others include the Children’s Online Privacy Protection Act of 1998 (COPPA) and the Financial Services Modernization Act of 1999, known more familiarly as the Gramm-Leach-Bliley Act (GLBA). These laws were preceded by the Privacy Act of 1974, the Federal Educational Rights and Privacy Act of 1974 (FERPA), and the Electronic Communications Privacy Act of 1986 (ECPA).

¹¹Supreme Court Justice Louis Brandeis, Olmstead v. U.S., 277 U.S. 438 (1928). Retrieved from http://www.ala.org/Template.cfm?Section=ifissues&Template=/ContentManagement/ContentDisplay.cfm&ContentID=25304.

¹²Howard Anderson (23 February 2011), “HIPAA Privacy Fine: $4.3 Million,” InfoRisk Today. Retrieved from http://www.inforisktoday.com/hipaa-privacy-fine-43-million-a-3375.

¹³US Health and Human Services (16 July 2008), “Resolution Agreement: HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information,” HHS. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/providence-health/index.html.

¹⁴Hunton & Williams (20 February 2009), “CVS Pays $2.25 Million in Record HIPAA Settlement,” Privacy & Information Security Law Blog. Retrieved from https://www.huntonprivacyblog.com/2009/02/20/cvs-pays-2-25-million-in-record-hipaa-settlement/.

¹⁵Results from Privacy Rights Clearinghouse database query performed 23 May 2016. Retrieved from https://www.privacyrights.org/data-breach.

¹⁶Cynthia Burghard, Massimiliano Claps, Lynne Dunbrack, Nino Giguashvili, Judy Hanover, Sven Lohse, Alan S. Louie, Ph.D., Scott Lundstrom, Ashwin Moduga, Eric Newmark, Jeff Rivkin, Silvia Piai, Michael Townsend, Leon Xiao (November 2015), “IDC FutureScape: Worldwide Healthcare 2016 Predictions,” IDC. Retrieved from https://www.idc.com/research/viewtoc.jsp?containerId=259908.

¹⁷A watering hole attack is, in effect, a form of targeted marketing or a malicious honeypot. The attacker determines likely interests shared by the victim group being targeted, then hacks a website deemed attractive to that group and injects malicious software. Some successful watering hole attacks compromise legitimate websites, for example, the iOS developer forum used by mobile developers for Facebook, Apple, and Twitter. See Michael Mimoso (20 March 2013), “Why Watering Hole Attacks Work,” Kaspersky Lab Threatpost. Retrieved from https://threatpost.com/why-watering-hole-attacks-work-032013/77647/. The FBI has used a watering hole attack strategy in its campaign against child pornography. Athletic event websites are also used for watering hole attacks, as was the hookup website Ashley Madison.

¹⁸Dan Goodin (28 July 2015), “Group that Hacked Anthem Shared Weaponized 0-Days with Rival Attackers,” ArsTechnica. Retrieved from http://arstechnica.com/security/2015/07/group-that-hacked-anthem-shared-weaponized-0-days-with-rival-attackers/.

¹⁹Ponemon Institute (5 May 2014), “Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis,” Ponemon Institute Press Release. Retrieved from http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.

²⁰Dan Munro (31 December 2015), “Data Breaches in Healthcare Totaled Over 112 Million Records in 2015,” Forbes. Retrieved from http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#b724ece7fd5a.

²¹Michael Hiltzik (6 March 2015), “Anthem is Warning Consumers about its Huge Data Breach. Here’s a Translation,” Los Angeles Times. Retrieved from http://www.latimes.com/business/la-fi-mh-anthem-is-warning-consumers-20150306-column.html.

²²Mary A. Chaput (24 March 2015), “Calculating the Colossal Cost of a Data Breach,” CFO. Retrieved from http://ww2.cfo.com/data-security/2015/03/calculating-colossal-cost-data-breach/.

²³Steve Ragan (30 June 2015), “Memo Reveals 312 Different Hashes for the Sakula Malware,” CSO. Retrieved from http://www.csoonline.com/article/2942601/disaster-recovery/fbi-alert-discloses-malware-tied-to-the-opm-and-anthem-attacks.html.

²⁴AHiMA, “Integrity of the Healthcare Record: Best Practices for EHR Documentation (2013 Update),” American Health Information Management Association. Retrieved from http://library.ahima.org/doc?oid=300257#.V0d5C2OMBsM. This document includes multiple examples of bad practices.

²⁵Independent Security Evaluators (23 February 2016), “Securing Hospitals: A Research Study and Blueprint,” ISE. Retrieved from https://www.securityevaluators.com/hospitalhack/.

²⁶Independent Security Evaluators, op. cit.

²⁷Jerome Radcliffe (2011), “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System,” Black Hat Paper Submission. Retrieved from https://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf.

²⁸Lisa Vaas (22 October 2013), “Doctors Disabled Wireless in Dick Cheney’s Pacemaker to Thwart Hacking,” Naked Security by Sopohos. Retrieved from https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-in-dick-cheneys-pacemaker-to-thwart-hacking/.

²⁹Michael Bassett (24 February 2015), “FDA Calls it Quits on Regulating Medical Device Data Systems,” Radiology Business. Retrieved from http://www.radiologybusiness.com/topics/policy/fda-will-no-longer-enforce-regs-medical-device-data-systems.

³⁰Brian Barrett (16 February 2016), “Hack Brief: Hackers Are Holding an LA Hospital’s Computers Hostage,” Wired. Retrieved from https://www.wired.com/2016/02/hack-brief-hackers-are-holding-an-la-hospitals-computers-hostage/.

³¹Federal Bureau of Investigation (29 April 2016), “Incidents of Ransomware on the Rise,” FBI Website. Retrieved from https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise.

³²Kacy Zurkus (6 April 2016), “Hospitals Hacks Put Patient Health at Risk,” CSO Online. Retrieved from http://www.csoonline.com/article/3051094/security/hospitals-hacks-put-patient-health-at-risk.html.

³³Zurkus, op. cit.

³⁴Farhad Memarzadeh and Weiran Xu (2012), “Role of Air Changes per Hour (ACH) in Possible Transmission of Airborne Infections,” BUILD SIMUL (2012) Vol. 5, pp. 15–28. DOI:10.1007/s12273-011-0053-4. Retrieved from http://orf.od.nih.gov/PoliciesAndGuidelines/Bioenvironmental/Documents/RoleofACHinTransmissionofAirborneInfections508.pdf.

³⁵Cleanroom Information: Terra Universal Website. Retrieved from https://www.terrauniversal.com/cleanrooms/iso-classification-cleanroom-standards.php.

³⁶TrapX, op. cit.

³⁷Based on my research, I believe the correct spelling is net.sah.worm.win32.kido.kf, a Conficker strain.

³⁸TrapX, op. cit., pp. 13–14.

³⁹TrapX, op. cit., p. 15.

⁴⁰Independent Security Evaluators, op. cit.

⁴¹Kelly Jackson Higgins (12 February 2015), “How Anthem Shared Key Markers of its Cyberattack,” Information Week Dark Reading. Retrieved from http://www.darkreading.com/analytics/threat-intelligence/how-anthem-shared-key-markers-of-its-cyberattack/d/d-id/1319083.