Misconfigured MRIs, CT scanners and X-ray machines represent a threat to patient privacy.
Healthcare continues to be one of the most vulnerable industries when it comes to cyberattacks, according to a new report. But one particular part of the health business is causing especial concern.
According to CyberCX, a leading provider of cybersecurity and cloud services, healthcare remains the third most susceptible industry, behind utilities and logistics/transport. Just under 13% of all findings in health were severe – meaning if threat actors had found these vulnerabilities before CyberCX, the consequences could have had severe impact for the organisation.
That’s well above the rate across all industries of 9.52%.
“The common factor across these [most vulnerable] sectors with higher severe finding rates is that they all rely heavily on less security-mature technology platforms, often including operational technology,” said the authors of CyberCx’s Hack Report.
“These platforms are expensive, difficult to secure, and pose significant challenges for technology transformation strategies.
“As a result, these industries have networks and systems that are less modern, often with large on-site footprints.”
A case in point is the security of medical imaging devices such as MRI machines, CT scanners and X-ray systems, which are reliant on picture archiving and communication systems (PACS) and digital imaging and communications in medicine (DICOM) technologies.
According to Just Protect, health cybersecurity specialists, imaging devices’ connectivity to the internet and healthcare networks made them vulnerable, particularly when they were misconfigured.
“Although there is a trend towards adopting cloud-based PACS services, many Australian healthcare facilities continue to rely on on-premises PACS servers,” said Just Protect’s latest white paper, DICOM Down Under: the cybersecurity risks of exposed medical imaging technology in Australia.
Using publicly available data and telemetry, Just Protect conducted an analysis of publicly accessible medical imaging devices and technologies.
“Numerous identified servers exhibited various security misconfigurations, including exposed or improperly configured external services, vulnerable infrastructure, and inadequately secured DICOM services,” said the authors.
“Vulnerable and poorly secured PACS servers and DICOM services present substantial cybersecurity risks for healthcare organisations, potentially leading to unauthorised access to patient data, malware deployment, and possible disruptions to patient care.
“However, this risk is multiplied when DICOM services are exposed to the internet without any mitigative security controls, thus facilitating unvetted access.
“Such a scenario can lead to possible data breaches, whereby personal health information may be accessed, stolen, or manipulated by malicious actors.
“The lack of secure DICOM protocols exacerbates these risks, making it theoretically easier for cybercriminals to intercept and possibly exploit medical images and related data during transmission.
“There have also been cases of information-stealing malware disguised as medical imaging software.”
Just Protect has developed 10 recommendations for healthcare organisations running medical imaging technologies:
- Review your organisation’s external attack surface: includes regular vulnerability scans, removing internet-exposed remote access and administrative services, securing remote access using VPN with mandatory MFA, restricting access to PACS servers by leveraging firewalls and VPNs, removing databases and associated services from the internet;
- Network controls: includes network zoning and network segmentation with firewalls, TLS encryption with bidirectional authentication, continuous network monitoring with deployed intrusion detection systems, hypothesis-driven threat hunting;
- Authentication: change default system credentials, enforce MFA for healthcare providers accessing imaging devices and technologies;
- Conduct third-party risk assessments: incorporate cybersecurity considerations into the decision-making process when purchasing new devices such as imaging technologies, confirm that the vendor will provide security updates for the intended life of the device;
- Unsupported or outdated technologies: upgrade or replace unsupported and outdated imaging software with maintained, security-compliant alternatives, ensure risk management plan encompasses these devices, the associated risks and any mitigative controls, engage in a regular patching program;
- Develop an incident response plan: specifically address breaches of medical imaging systems and technologies, including formal communication procedures for incidents, regularly test the plan via drills and exercises;
- Perform regular security audits and penetration tests: conducted by organisations that have experience in healthcare environments;
- Explore the future adoption of secure DICOM: where applicable (and in an ideal scenario) develop a roadmap towards its future adoption, liaise with current and future vendors to determine compatibility with secure DICOM;
- Evaluate cloud-based PACS solutions;
- Adopt a multi-layered approach: do not rely on a single point of failure, thus facilitating defense-in-depth, implement a multi-layered approach to cybersecurity that encompasses industry best practices.
“Australian healthcare organisations continue to be targeted and impacted by a range of cyber threat actors,” said Just Protect.
“The prevalence of often insecure or misconfigured imaging technologies, such as exposed PACS servers and DICOM services, can increase the attack surface of these organisations, potentially exposing them to a range of cyber-attacks.
“Considering these persistent attacks, Australian healthcare organisations of all sizes must take deliberate steps to enhance their cybersecurity.
“Rather than relying on a single point of failure, they should adopt a multi-layered approach that incorporates numerous complementary security controls.
“Cybersecurity is now undeniably critical to delivering patient care and protecting patient privacy. Consequently, the time to enhance your defences is now.”
Read the full CyberCX report here.
Read the full Just Protect report here.
