Why The Healthcare Industry Is Last In Cyber Hygiene

Information Week published an article this month featuring a study by BitSight ranking Healthcare last among various industries in security performance. This reminded me of a recent personal experience…

A month ago I underwent a small procedure called a Carotid Artery Ultrasound. This is basically a non-invasive test to see if the arteries pumping blood throughout your heart and body are free of plaque build up which can lead to a heart attack. As a person who stays relatively fit, the test results were as expected. However, anyone who has a family history of heart disease or high cholesterol could be at risk. So you should consult your doctor and get tested if you feel you might be at risk.

Having spent a significant amount of my personal and professional time around healthcare, I tend to analyze the equipment, data-handling procedures and process around me. It never ceases to amaze me the patchwork of medical equipment that is in use throughout the medical industry. This particular day, I was personally exposed to what appeared to be a “Hackintosh” hooked up to a cash register base with probes coming out of it.
The device was actually a Siemens Acuson P50. This is a portable ultrasound device that was purpose built for the medical industry in 2007 based on a Macbook Pro. Attached to the Macbook is a sled that houses the specialized controls for the ultrasound and some additional processing hardware. The sled is painted aluminum silver to match.

The device includes a software package that helps the ultrasound technician capture specific images / audio and tag the findings with the pertinent information so the doctors know which chamber of the heart is associated with the readings. The technician also inputs my personal information and other observations from the test.

Some detail on the device from a 2009 review:

“the Windows XP desktop, allows installation of 3rd Party Windows applications, has integrated WiFi, has simple networking, has the user-friendly slide-out console, and retains all the same user-friendly functions that make it popular.”

As you already know, Windows XP has been “end-of-lifed” by Microsoft.

Embedded systems like these are everywhere in the healthcare industry and they are treated differently than normal desktop PCs. These machines are updated on a completely different interval and will rarely see critical security updates until a major revision. Even worse, many embedded systems are not visible to the naked eye. Windows XP lives behind the scenes in radiology, X-ray machines, and other lab equipment where the user interface is hidden behind a panel or alternative display.

How your organization handles this class of devices is critical to the safety of your patients’ data. The easiest way to begin is with a full and comprehensive assessment of your organization’s risk. Next, embedded systems must be isolated to limit the opportunity for hackers to exploit vulnerable software bugs. Finally, adopt continuous monitoring for these systems to identify suspicious activity. If you do not have a security provider who offers these services, Dunbar can help.

Request a Free Consultation