Remote Access System Hacking Is No. 1 Patient Safety Risk

Hackers attacking healthcare through remote access systems and disrupting operations is the number one patient safety risk, according to the ECRI Institute's annual Top 10 Health Technology Hazards for 2019. From a report: ECRI Institute said it published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period. "Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes," the report warned.

The ECRI report [PDF] said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining. "The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death." The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.

Really?

[bobstreo]

I always thought it was the antibiotic resistant bacteria, incompetent doctors, and greedy hospital boards and administrators.

Shouldn't all the access issues be covered under existing acts like HIPAA?

Two Factor Authentication should be the minimum requirement for remote access to anything in a hospital or within a patient...

Re:

[jellomizer]

I always thought it was the antibiotic resistant bacteria: Only a very small portion of the patient population is affected from this.
incompetent doctors: Normally these people just prolong pain and suffering vs. actually put safety at risk.
greedy hospital boards and administrators: They are too busy impressing each other then actually doing anything.

Shouldn't all the access issues be covered under existing acts like HIPAA? They are, but there is wiggle room, and most professionals especially ones under pres

Re:

[Kjella]

I always thought it was the antibiotic resistant bacteria, incompetent doctors, and greedy hospital boards and administrators.

It still is:

Top 10 Health Technology Hazards for 2019

Not that much left if you exclude people and processes...

BSOD in the Emergency Room

[Seven Spirals]

One time I took a friend to the ER and she wasn't injured and couldn't really represent herself. The nurse who was going to check us in couldn't get the job done because her tablet kept getting a BSOD. All IT systems can go down, but goddamn, wouldn't you think that having Windows in the ER would be beyond "asking for it" ? I'm not the biggest fan of AIX, but at least the other ER I took her to could check her in, they used an AIX based patient system. Unbelievable. I bet they have insecure-as-hell Android and iOS systems handling patient records, too. What's the advantage of that? Nurses can take selfies while the system is down (or being spied on by Russians and Chinese) ?

Re:

[antdude]

Don't they backups not to use tech? Did they forgot how to do those? Can't always rely on tech!

Re:

[Seven Spirals]

I know right? Well, that reminds me of the time when I was staffing at Def Con 5 (I think - been years ago) and we were using the Alexis Park Hotel. We warned the owner and staff about idiot script kiddies breaking and "hacking" everything in sight. They laughed and said "We ran this hotel for 20 years with nothing but pen and paper. It was a lot better in most ways. If they break anything, we'll just go right back to that method. It works just fine and it's not hackable." I have to say that I could have ki

Re:

[antdude]

Yeah. I wonder if they can do that these days.

Not listing to your IT Staff #1 Patient Risk

[jellomizer]

I get yelled at by Doctors all the time, because we force things like multi-factor authentication, auto locking system after 10 minutes, forced encryption on devices, when deploying new software having to do a full security review, often rejecting the coolest product for a boring old one, just because it meets security standards, setting up the network so you just can't plug in any device anywhere....

However no matter how much security we try to put in place, the Doctors who think they know better and think

Re:

[gweihir]

Many MDs do not get that they are pretty incompetent with regards to IT. Dunning-Kruger effect at work. Before some large hospitals have to shut down due to this arrogance and stupidity, nothing will change.

Re:

[jbmartin6]

So true, I once worked for a hospital with no 2F on the remote access system, and the head of the ER department used his last name as his password, and refused to change it.

Re:

[jellomizer]

Intelligence + Incompetence is very dangerous.

The thing about IT is an Intelligent person can perform any particular action of our job. Writing a program, configuring a network, changing security permissions...
However competency is knowing when to use a skill when not to, and planning for the consequences for such actions.

Professional Competent IT guy:
Can I be 100% sure the solution will work... No, I cannot. However I know the worst case scenario if this fails, and how to fix it. Also I had accounted for

Re:

[gweihir]

Pretty much this. Intelligent folks that overestimate their skills (usually from lack of experience, sometimes from overestimating their intelligence) can do enough damage to be dangerous. And MDs go though a selection that pretty much makes sure they are intelligent and they basically rule all things medical. They also think that without IT they could still keep a large hospital running. True for a few days and for emergency services only, think large catastrophe or the like. False for 90% of their busines

Re:Not listing to your IT Staff #1 Patient Risk

[demonlapin]

Hey, you, IT guy? I'm a doctor. Here's the other side of the same thing:

I didn't want the hospital IT system I got. They asked me (and all the other doctors) what we wanted, then ignored our responses. I went to administration to tell them that I wanted to be part of every committee that had something to do with the EMR purchase and deployment (however bad I may be, I can guarantee you I'm better than almost anyone else you'll get), and got ignored. So... nobody cares what the people who use the thing on a daily basis think? Not a good starting point.

Multi-factor ID: not really a major issue when, say, I'm at home and want to log in to do a bit of work; that's pretty straightforward. But here's the thing about the ten-minute lockout and twenty-second login process: I don't have a desk at work. I migrate from place to place, and I do it a lot. Twenty seconds per login is around thirty minutes of my day, on average. If you can't come up with a faster, better solution that allows me to do my work, the problem isn't with me - it's with your solution. And I'm somewhat unusual among doctors, because I only work at one hospital - many have to memorize information at three or four different hospitals, all with different criteria on what qualifies as an adequate password and different time frames for changing them.

Forced encryption on devices: nothing is stored on my device, so it doesn't need encryption except for during transmission of information. I've seen this play out in very negative ways, because "forced encryption" is generally a synonym for "managed by IT" - which means that the power-mad person in charge of IT is watching what I do with my iPad when I'm at home. My tastes are pretty vanilla, but if you want to monitor everything I do with my devices and read all my email, then (at a bare minimum) you can pay for dedicated devices, ISP, and home office to put them in, and you can give me a work email address for hospital business - I'm not an employee of the hospital, so I don't have one currently.

I don't hate IT people. You do a difficult and largely thankless job. But from the user's perspective, we have a lot of "tr0ub4dor&3" vs "correct horse battery staple" problems. My current work password is really simple - about as simple as one can be if you have to have a capital letter, a lowercase letter, and numbers, with a minimum length of eight characters, changed every three months, with no recycling of the past nine passwords. I've got a good password for my important personal things. It is not going to show up in a dictionary attack, I won't forget it, and even if you know me really well, it's not an easy guess - but I don't have ten passwords like that.

Keep critical systems offline

[dddux]

I can't understand why all parts of the network should be accessible remotely? At least they should keep the critical systems offline, and just part of a separate, internal network. So the solution is simple, but why are these people not able to see it?

Re:

[jellomizer]

What system shouldn't be used at all remotely and not communicate with systems that shouldn't be used remotely.

If a doctor is doing some work remote, he will need access to the EHR, which needs access to archive, and lab systems, then data will be sent to the billing system, accessible by the billing staff who is often working remote as well.

Re:

[demonlapin]

Well, here's the thing: a lot of "hackable" stuff consists of things like pacemakers, that really have almost no security in place at all - they just rely on the fact that they have failsafe modes (and they do), and on the fact that very few people have a pacemaker interrogator handy.

Aside from that, medical records have to be remotely accessible if there is to be any point in having an EMR - paper charts had their downsides, but physical security against outside attacks was pretty good, and you certainly

Insulin pumps scare the hell out of me

[greenwow]

A coworker's daughter has one, and the software has locked up several times requiring her to remove the battery to get it working again. It's also required several software updates. If it failed and provided too much insulin, it could easily kill her.