Report: Exposed Medical Devices, Supply Chain Attacks Pose Major Cyber Risks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Exposed Medical Devices, Supply Chain Attacks Pose Major Cyber Risks

April 5, 2018
by Heather Landi
| Reprints
Click To View Gallery

This coming May marks the anniversary of the WannaCry attack, yet, a year later, researchers found that the scare of ransomware may not have resulted in more secure healthcare environments, rather the attack surface has only expanded. 

In a new report, “Securing Connected Hospitals,” researchers with Trend Micro, a global cloud security solutions company with U.S. headquarters in Los Angeles, took a deep dive into the threats and areas of exposure within healthcare networks. The report, which provides research on exposed medical systems and supply chain risks, was released in collaboration with HITRUST.

“As hospitals and other healthcare facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services — but the digital attack surface expands as well. The more connected they get, the more attractive they become as lucrative targets to threat actors,” researchers wrote in a recent report.

Although the research report is extensive, the report highlights two aspects of healthcare networks that researchers feel IT teams need to consider as part of their overall security strategy—exposed medical devices and the supply chain.

Using Shodan, a search engine for internet-connected devices, the researchers looked for healthcare-related cyber assets and found that a large number of hospital systems are exposed on the internet. The researchers discovered exposed medical systems, healthcare software interfaces and even misconfigured hospital networks, that should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices can potentially be leveraged by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnet and install ransomware.

Specifically, researchers found that several Digital Imaging and Communications in Medicine (DICOM) servers were exposed, including those owned by 21 universities. “These DICOM servers should not be exposed online. Exposed medical systems potentially jeopardize critical data such as patients’ personally identifiable information (PII) and medical records,” the researchers wrote in the report.

“Altogether we found a surprisingly high number of exposed servers that process and store medical images such as computed tomography (CT) and magnetic resonance imaging (MRI) scans and X-rays through Shodan. Along with medical systems were exposed ports, databases, and we even identified misconfigured hospital networks,” the researchers wrote in the report.

Researchers also found a handful of exposed electronic health record (EHR) system interfaces. “Perpetrators can, with additional effort, disrupt hospital, clinic, and pharmacy operations by corrupting sensitive data, issuing incorrect device commands, infecting systems with ransomware, and so on,” the report states.

Additionally, using threat risk assessment models, the researchers found determined DDoS attacks to be the most serious overall threat to healthcare organizations.

Aside from the risks brought on by unsecured medical devices and systems online, healthcare IT teams should also develop a plan of action for another oft-neglected mechanism of hospital operations— the supply chain, the report notes. Weaknesses in the supply chain have led to high-profile breaches in other industries such as retail.

Supply chain threats are potential risks associated with the suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity.

“Given the fluid and unique nature of the partnerships hospitals form with each and every third-party vendor or contractor, healthcare IT teams must closely study their networks for supply chain weaknesses, which could lead to a cyberattack,” the report states.

The researchers specifically identified a number of vectors that pose potential risks:

Device firmware attacks—Threat actors can access and modify a medical device’s firmware source code to add malicious functionality or install a backdoor.

mHealth mobile app compromise—mHealth mobile apps can be compromised to change functionality, deliver fatal-level dosages, expose personal health data, penetrate other hospital systems, and cause HIPAA violations.

Source code compromise during manufacturing—Perpetrators can access and modify software source code via backdoor installation or device rooting.

Insider threats from hospital and vendor staff—Fueled by a desire for revenge or sometimes through sheer negligence, staff may abuse access privileges, leading to a breach.

Website, EHR, and internal portal compromise—Perpetrators can attempt to compromise hospital websites, EHR software, and internal portals used by hospital staff and vendors.

Spear phishing from trusted email accounts—Threat actors can gain control of vendor credentials and send clients

While healthcare IT teams have competing priorities, the report recommends a number of technical solutions as a baseline: Network segmentation; firewalls; next-generation firewalls/Unified Threat Management (UTM) gateways; anti-malware solutions; anti-phishing solutions; breach detection systems (BDS); Intrusion Prevention/Detection Systems (IPSs/IDSs); encryption technologies; patch management (physical or virtual); vulnerability scanners; deception technologies; and Shodan scanning.

The human aspect is also a crucial element of the overall security strategy. IT teams must conduct regular social engineering drills and provide training for all employees and relevant third-party partners, the report states. What’s more, an incident response protocol and team, consisting of people from different hospital departments, should be established.

The researchers also offer a number of supply-chain-specific recommendations. Healthcare IT teams should perform vulnerability assessments of new medical devices. Bring your own device (BYOD) programs should include authentication using Network Access Control (NAC) before allowing network access.

Healthcare organizations should purchase medical devices from manufacturers who go through rigorous security assessments of products during design and manufacture. And, healthcare IT teams should develop a plan for patching and updating code or firmware for devices implanted in patients and hospital medical equipment. Healthcare IT leaders should perform risk assessments of all suppliers and vendors in the supply chain, and should identify third-party vendor software and perform security and vulnerability testing to ensure they are safe from hackers. Penetration testing of the hospital network by professional pen-testing companies is highly recommended.



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.