Abstract
Healthcare Delivery Organizations (HDOs) are complex institutions where a broad range of devices are interconnected. This inter-connectivity brings security concerns and we are observing an increase in the number and sophistication of cyberattacks on hospitals. In this paper, we explore the current status of network security in HDOs and identify security gaps via a literature study and two observational studies. We first use the literature study to derive a typical network architecture and the threats relevant to HDOs. Then we analyze in the first observational study data from 67 HDOs to highlight the challenges they face with regards to device security and management. The second study leverages the network traffic from 5 HDOs in order to point out a number of concrete observations which depict how patient data can be exposed and how cyber-physical attacks could impact patient health. Finally we offer in this paper a starting point for securing HDOs’ network.
S. Etalle—This work was supported by ECSEL joint undertaking SECREDAS (783119-2), EU-H2020-SAFECARE (no. 787002) and SunRISE (PENT181005).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alsubaei, F., Abuhussein, A., Shiva, S.: Security and privacy in the Internet of medical things: taxonomy and risk assessment. In: LCN (2017)
Altawy, R., Youssef, A.: Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4, 959–979 (2016)
Bland, M., Dameff, C., Tully, J.: Pestilential protocol: how unsecure HL-7 messages threaten patient lives (2018)
Bodungen, C., Singer, B., Shbeeb, A., Wilhoit, K., Hilt, S.: Hacking Exposed Industrial Control Systems. McGraw-Hill, New York City (2016)
Ciholas, P., Lennie, A., Sadigova, P., Such, J.: The security of smart buildings: a systematic literature review. arXiv e-prints (2019)
Duggal, A.: Understanding HL7 2.X standards, pen testing, and defending HL7 2.X messages. Black Hat US 2016 (2016). https://youtu.be/MR7cH44fjrc
Fiebig, T., et al.: SoK: an analysis of protocol design: avoiding traps for implementation and deployment. arXiv e-prints (2016)
FireEye: Double dragon (2019). https://bit.ly/38nj6bU
Foo Kune, D., Venkatasubramanian, K., Vasserman, E., Lee, I., Kim, Y.: Toward a safe integrated clinical environment: a communication security perspective. In: MedCOMM (2012)
Forshaw, J.: Attacking Network Protocols. No Starch Press, San Francisco (2017)
Gatouillat, A., Badr, Y., Massot, B., Sejdic, E.: Internet of medical things: a review of recent contributions dealing with cyber-physical systems in medicine. IEEE IoT J. 5(5), 3810–3822 (2018)
Hanna, S., Rolles, R., Molina-Markham, A., Poosankam, P., Fu, K., Song, D.: Take two software updates and see me in the morning: the case for software security evaluations of medical devices. In: HealthSec (2011)
Haselhorst, D.: HL7 data interfaces in medical environments: attacking and defending the achille’s heel of healthcare. Technical report, SANS (2017)
HIMSS: 2019 HIMSS cybersecurity survey. Technical report (2019)
ISE: Securing hospitals: a research study and blueprint. Technical report (2016)
Jaigirdar, F., Rudolph, C., Bain, C.: Can I trust the data I see?: A physician’s concern on medical data in IoT health architectures. In: ACSW (2019)
Koppel, R., Smith, S.W., Blythe, J., Kothari, V.H.: Workarounds to computer access in healthcare organizations: you want my password or a dead patient? ITCH 15(4), 215–220 (2015)
Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K.: Security and privacy qualities of medical devices: an analysis of FDA postmarket surveillance. PLoS ONE 7(7) (2012)
Kumar, C.: New dangers in the new world: cyber attacks in the healthcare industry. Intersect 10(3), 3–4 (2017)
Lee, I., et al.: Challenges and research directions in medical cyber-physical systems. Proc. IEEE 100(1), 75–90 (2011)
Mansfield-Devine, S.: Ransomware: taking businesses hostage. Netw. Secur. 2016, 8–17 (2016)
McAdams, A.: Security and risk management: a fundamental business issue. Inf. Manag. 38(4), 36 (2004)
McKee, D.: 80 to 0 in under 5 seconds: falsifying a medical patient’s vitals (2018). https://bit.ly/2LJI8bB
McNab, C.: Network Security Assessment. O’Reilly Media, Newton (2016)
Mirsky, Y., Mahler, T., Shelef, I., Elovici, Y.: CT-GAN: malicious tampering of 3D medical imagery using deep learning. In: USENIX Security (2019)
MITRE: ATT&CK tactic: lateral movement (2019). https://bit.ly/2qwuUaE
Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: Cyber Security (2016)
O’Brien, G., Edwards, S., Littlefield, K., McNab, N., Wang, S., Zheng, K.: Securing wireless infusion pumps. In: Healthcare Delivery Organizations (2017)
Philips: Data export interface programming guide (2015)
Regalado, D.: Inside the alaris infusion pump, not too much medicine, plz. DEF CON 25 IoT Village (2017). https://youtu.be/w4sChnS4DrI
Rios, B.: Infusion pump teardown. S4x16 (2016). https://youtu.be/pq9sCaoBVOw
Roberts, P.: Let’s get cyberphysical: Internet attack shuts off the heat in Finland. https://bit.ly/33XQgeK
Rushanan, M., Rubin, A., Kune, D., Swanson, C.: SoK: security and privacy in implantable medical devices and body area networks. In: IEEE S&P (2014)
Seri, B., Vishnepolsky, G., Zusman, D.: Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS. Technical report, Armis (2019)
Sheefer, Y., Porticor, Holz, R., Munchen, T.U., Saint-Andre, P.: Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) (2015)
Symantec: New orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia (2019). https://symc.ly/33Rpp3S
Symantec: Whitefly: Espionage group has Singapore in its sights. https://symc.ly/2qoF3WG (2019)
Taylor, C., Venkatasubramanian, K., Shue, C.: Understanding the security of interoperable medical devices using attack graphs. In: HiCoNS (2014)
US DoH CISA: ICS-CERT advisories (2019). https://bit.ly/369pLnZ
Wood, D., Apthorpe, N., Feamster, N.: Cleartext data transmissions in consumer IoT medical devices. In: IoTS&P (2017)
Xu, J., Venkatasubramanian, K., Sfyrla, V.: A methodology for systematic attack trees generation for interoperable medical devices. In: SysCon (2016)
Xu, Y., Tran, D., Tian, Y., Alemzadeh, H.: Poster: analysis of cyber-security vulnerabilities of interconnected medical devices. In: CHASE (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Dupont, G., dos Santos, D.R., Costante, E., den Hartog, J., Etalle, S. (2020). A Matter of Life and Death: Analyzing the Security of Healthcare Networks. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-58201-2_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58200-5
Online ISBN: 978-3-030-58201-2
eBook Packages: Computer ScienceComputer Science (R0)