Are you using an implantable medical device such as a pacemaker, defibrillator, or infusion pump? These devices are not as secure as you might expect. October is Cybersecurity Awareness Month, and this week’s theme is “Securing Internet connected devices in health care.” Parts of this article appeared previously in posts from January 16, 2016 and April 11 2016. We have come a long way in the realm of medical device security, but there is still a long way to go.
Can these devices be hacked? Quick answer: Yes they can! A 2016 article in Bloomberg goes deeply into this subject, and reveals the experiences of a white hat hacker named Billy Rios. Billy and many others in the profession had been hired by the Mayo Clinic in Rochester Minnesota in 2013 to try to hack all the medical devices in the hospital that were connected to the network. These days, this is just about everything, from infusion pumps, to heart monitors, to MRI and ultrasound equipment.
The outcome was rather bleak, almost all of these machines were taken easily. The issue of course is that someone could theoretically take control of something like an infusion pump that is delivering pain medication such as morphine, and increase the dosage to kill the patient. What we know of course is that this years outlandish fantasy is next years successful exploit.
Mayo Clinic has continued to hold these medical hack-a-thons, and is working with manufacturers to improve these systems.
In 2016, the Food and Drug Administration released guidelines to medical device manufacturers outlining the sort of security they want to see in these devices. Some of the elements in this draft of the guidelines are:
Some of the key elements of this draft guidance include (from Naked Security):
- Apply the 2014 NIST voluntary framework for improving critical infrastructure cybersecurity.
- Define essential clinical performance to develop solutions that offer protection from cybersecurity risks and also help respond to and recover from them.
- Keep on top of sources that help identify and detect cybersecurity vulnerabilities.
- Understand and assess the implications of a vulnerability.
- Create and follow a seamless vulnerability management process.
- Put in place and practice a well-coordinated vulnerability disclosure policy.
- Cybersecurity risk mitigations must be deployed early and prior to exploitation.
In spite of the progress in this area, we still face problems. When writing the code that controls these medical devices, often third party software modules are used. These modules go out of date and out of support, but may continue to be used by device manufacturers. For example, last year (2019) the FDA released an alert titled Urgent/11. The report states:
“The URGENT/11 vulnerabilities exist in a third-party software, called IPnet, that computers use to communicate with each other over a network. This software is part of several operating systems and may be incorporated into other software applications, equipment and systems. The software may be used in a wide range of medical and industrial devices. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today.”
Then there is the continued crypto-ransomware attacks targeting hospitals, starting with the crypto-malware incident in 2016 that affected Hollywood Presbyterian Hospital in Hollywood California, that resulted in the hospital paying out $17,000 to the bad guys to purchase the key to decrypt their files. Even though the hospital had working backups, it was cheaper for them to pay the ransom than restore every system from backup tapes. Ransomware attacks continue to present security challenges for many hospital systems. Just as recently as last month, at the end of September 2020, Universal Health Systems had to shut down all operations to deal with a case of Ryuk ransom malware that had infected their systems.
And simply paying the ransom has become less of an option as the federal government and law enforcement is starting to fine organizations that pay the ransom for aiding and abetting a criminal enterprise. From SecureWorld News: “The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory on ransomware. This was not about the cybercrime itself, but instead, the regulatory trouble your organization could face for facilitating ransomware payments. The OFAC advisory on these cybercrime payments specifically warns financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims that they may be violating OFAC regulations.”
Securing our medical systems and devices is more important than ever, now that they are a known active target of cybercriminal gangs, APTs, and other bad actors.
- WyzGuys article
- Bloomberg article on Mayo hackathon
- Naked Security – FDA Guidelines
- FDA – Urgent/11
- UHS Ryuk Attack
- Ransomware Payments