Download PDF version Contact company
Attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient

ISE’s research shows that healthcare facilities & hospitals security programmes
to ward off determined attackers going after specific targets

A well-known security axiom posits that an effective security programme can discourage would-be attackers, causing them to move on in search of softer targets. But it doesn’t always work that way.

Take healthcare facilities such as hospitals, for example. Prospective attackers with no particular target in mind may see a well-protected hospital facility and move on in search of another target, just as you would expect.

On the other hand, some healthcare attackers have specific targets in mind, and they will try to get at those targets using all of their digital cunning.

According to Geoff Gentry, Director of Healthcare with Independent Security Evaluators (ISE), a security-consulting firm, healthcare facilities and hospitals in particular lack security programmes that can ward off determined attackers going after specific targets.

Stealing or altering medical records

“An adversary targeting a specific facility will spend the time and resources necessary to ensuring a successful attack,” Gentry says. “Imagine, as a hypothetical example, a celebrity undergoing treatment in a hospital. Attackers might want to acquire and release the celebrity’s medical records — in order to embarrass him or her.

“They would break into the hospital information technology network and search for specific files. It is more difficult to discourage attackers with specific targets like this.”

Could attackers go after the celebrity patient as well, by corrupting the medical equipment and systems being used in a treatment programme? “To our knowledge, no real-world attacks have been reported targeting patient health,” says “Securing Hospitals,” a two-year, research study conducted and financed solely by ISE.

However, the ISE study goes on to say: “Research has shown that medical devices are susceptible to compromise, such as pacemakers, and insulin pumps. Similar attacks have even been demonstrated on simulated patients in a laboratory setting. Though attacks against these systems have only been performed in a research setting, they demonstrate a grave problem. When these or similar attacks are finally exploited in the wild, lives will be lost. In 2015, attacks were documented using medical devices as the pivot onto the hospital’s production network.”

 

Physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorised people can enter the hospital
Attackers may aim to steal and expose a target’s medical records, or
even alter them to interfere with their treatment

The vulnerability of specific targets

“Securing Hospitals” also reports successful demonstration attacks by researchers in field settings that might have killed or at least harmed patients had malicious hackers been behind them.

In one case, for instance, attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient.

In another scenario, attackers manipulated the flow of medicine and blood samples, causing the delivery of the wrong medicines and dosages.

The booklet reports several other scenarios and notes that: “The examples listed above represent a small fraction of the attack scenario possibilities that could result in the injury or death of a hospital patient.”

What can a hospital do?

Pointing to the results of the ISE study, Gentry recommends re-doing hospital security from scratch — starting by resetting priorities. “What is the worst thing that can happen in a breach?” he asks. “Patients can die. Patients are the real assets that need protecting.”

“Hospitals are inclined to focus on health records first, but the priorities should be patients first and then records. If you think first about securing the safety of patients, I think you will develop a better overall security program.”

When patient security comes first, continues Gentry, administrators tend to work on securing online medical devices, equipment and systems from digital attackers.

In addition, physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorised people can enter the hospital.

Once electronic and physical access can be controlled and managed, hospitals will be much more securely protected than they are today.

Download PDF version Download PDF version

Author profile

Michael Fickes End User Correspondent, SecurityInformed.com

In case you missed it

How should the security industry promote diversity?
How should the security industry promote diversity?

Diversity in a company’s workforce is arguably more important now than ever. Societal awareness of the importance of diversity has grown, and many people see diversity as an important factor that reflects positively (or negatively) on a company’s culture and image in the marketplace. We asked this week’s Expert Panel Roundtable: What should the security industry do to promote workplace diversity?

Why face recognition as a credential is the ideal choice for access control?
Why face recognition as a credential is the ideal choice for access control?

In the field of access control, face recognition has come a long way. Once considered too slow to authenticate people's identities and credentials in high traffic conditions, face recognition technology has evolved to become one of the quickest, most effective access control identity authentication solutions across all industries. Advancements in artificial intelligence and advanced neural network (ANN) technology from industry leaders like Intel have improved the accuracy and efficiency of face recognition. However, another reason the technology is gaining traction is due to the swiftly rising demand for touchless access control solutions that can help mitigate the spread of disease in public spaces. Effective for high volumes Face recognition eliminates security risks and is also virtually impossible to counterfeit Modern face recognition technology meets all the criteria for becoming the go-to solution for frictionless access control. It provides an accurate, non-invasive means of authenticating people's identities in high-traffic areas, including multi-tenant office buildings, industrial sites, and factories where multiple shifts per day are common. Typical electronic access control systems rely on people providing physical credentials, such as proximity cards, key fobs, or Bluetooth-enabled mobile phones, all of which can be misplaced, lost, or stolen. Face recognition eliminates these security risks and is also virtually impossible to counterfeit. Affordable biometric option Although there are other biometric tools available, face recognition offers significant advantages. Some technologies use hand geometry or iris scans, for example, but these options are generally slower and more expensive. This makes face recognition a natural application for day-to-day access control activities, including chronicling time and attendance for large workforces at construction sites, warehouses, and agricultural and mining operations. In addition to verifying personal credentials, face recognition can also identify whether an individual is wearing a facial covering in compliance with government or corporate mandates regarding health safety protocols. Beyond securing physical locations, face recognition can also be used to manage access to computers, as well as specialised equipment and devices. Overcoming challenges with AI So how did face recognition become so reliable when the technology was once dogged by many challenges, including difficulties with camera angles, certain types of facial expressions, and diverse lighting conditions? Thanks to the emergence of so-called "convolutional" neural network-based algorithms, engineers have been able to overcome these roadblocks. SecurOS FaceX face recognition solution FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces One joint effort between New Jersey-based Intelligent Security Systems (ISS) and tech giant Intel has created the SecurOS FaceX face recognition solution. FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces and facial expressions, including those captured under changing light, at different resolution levels, and varying distances from the video camera. Secure video management system A common face recognition system deployment begins with IP video cameras that feed footage into a secure video management system connected to a video archive. When the software initially enrolls a person’s face, it creates a "digital descriptor" that is stored as a numeric code that will forever be associated with one identity. The system encrypts and stores these numeric codes in a SQL database. For the sake of convenience and cost savings, the video server CPU performs all neural network processes without requiring any special GPU cards. Unique digital identifiers The next step involves correlating faces captured in a video recording with their unique digital descriptors on file. The system can compare newly captured images against large databases of known individuals or faces captured from video streams. Face recognition technology can provide multi-factor authentication, searching watchlists for specific types of features, such as age, hair colour, gender, ethnicity, facial hair, glasses, headwear, and other identifying characteristics including bald spots. Robust encryption SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 To support privacy concerns, the entire system features an encrypted and secure login process that prevents unauthorized access to both the database and the archive. An additional layer of encryption is available through the use of Self-Encrypting Drives (SEDs) that hold video recordings and metadata. SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 (short for Advanced Encryption Standard). Anti-spoofing safeguards How do face recognition systems handle people who try to trick the system by wearing a costume mask or holding up a picture to hide their faces? FaceX from ISS, for example, includes anti-spoofing capabilities that essentially check for the "liveliness" of a given face. The algorithm can easily flag the flat, two-dimensional nature of a face mask, printed photo, or image on a mobile phone and issue a "spoof" alarm. Increased speed of entry Incorporating facial recognition into existing access control systems is straightforward and cost-effective Incorporating facial recognition into existing access control systems is straightforward and cost-effective. Systems can operate with off-the-shelf security cameras and computers. Users can also leverage existing infrastructure to maintain building aesthetics. A face recognition system can complete the process of detection and recognition in an instant, opening a door or turnstile in less than 500ms. Such efficiency can eliminate hours associated with security personnel checking and managing credentials manually. A vital tool Modern face recognition solutions are infinitely scalable to accommodate global enterprises. As a result, face recognition as a credential is increasingly being implemented for a wide range of applications that transcend traditional access control and physical security to include health safety and workforce management. All these capabilities make face recognition a natural, frictionless solution for managing access control, both in terms of performance and cost.

What are the challenges and benefits of mobile access control?
What are the challenges and benefits of mobile access control?

There is a broad appeal to the idea of using a smartphone or wearable device as a credential for physical access control systems. Smartphones already perform a range of tasks that extend beyond making a phone call. Shouldn’t opening the door at a workplace be among them? It’s a simple idea, but there are obstacles for the industry to get there from here. We asked this week’s Expert Panel Roundtable: What are the challenges and benefits of mobile access control solutions?