Introduction
This post focuses on four medical device cybersecurity attack objectives:
-
Stealing Protected Health Information (PHI) (Motive: Financial Gain)
-
Ransomware (Motive: Financial Gain)
-
Harming or killing a patient (Motive: Terrorism or Assassination)
-
Using the medical device as a beachhead for enemy advancement (Motive: Foothold to Expand Operations)
In this post, I will cover a little background on why medical device security is something to pay attention to, elaborate on the four attack objectives, and provide some solutions.
Background
Unsecured medical devices and the Internet of Medical Things (IOMT) are major cybersecurity concerns. These devices are typically deployed in hostile hospital and clinic environments. Yes, I said hostile. Why hostile? Most hospital environments, despite “HIPAA Compliance” remain vulnerable. I know this based on many penetration tests of both hospital and clinic environments. Compliance has little to do with security. Yet, compliance is often both the minimum and maximum effort organizations put towards cybersecurity.
Attacks against medical devices are either unintentional or intentional. Unintentional, often referred to as non-directed attacks, are broad, non-targeted attacks by malware that is spreading in the “wild” by broad phishing schemes or simply lateral movement. Lateral movement is when an infected system spreads the malware to other vulnerable systems on the same network or environment. Intentional attacks also referred to as directed attacks, are targeted attacks by an entity with a specific objective.
In cybersecurity, there are generally three areas we care about – confidentiality, integrity, and availability. These are often referred to as the CIA triad. The idea is if you increase one, the others may suffer, so there has a be a balance. For instance, if I focus on confidentiality and make everything super secure (encrypted, require multiple factors to log on, etc.), then availability may suffer. The balance should be based on risk.
Medical Device Hacking Objectives
1 – Stealing Protected Health Information (PHI) (Motive: Financial Gain)
Many medical devices contain PHI that can be stolen directly from the device, or a compromised medical device can be leveraged to obtain PHI. For instance, a medical device may be connected to an Electronic Medical Records (EMR) system. The trusted connection between the medical device and the EMR could be leveraged by an attacker to siphon PHI from the EMR.
PHI is often stolen using targeted attacks, but can easily be stolen by a non-targeted attack, where the malicious software (malware) happens to land on a vulnerable system containing PHI. A targeted PHI attack could be an attack to get “dirt” on a celebrity or politician to blackmail them or try to smear their reputation. An example of this would be to steal records for sexually transmitted diseases (STDs) at places celebrities may have received testing.
Type of Attack: Typically non-directed, although may be targeted.
CIA Triad Affect: Confidentiality.
2 – Ransomware (Motive: Financial Gain)
Ransomware is quite common in hospitals and clinics and has actually been linked to an increase in fatal heart attacks. According to a post on the krebsonsecurity.com:
“The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.”
Ransomware is typically a non-targeted attack, seeking as many vulnerable victims as possible. Many medical devices run older operating systems, such as Windows XP embedded, Windows 7 embedded, or an older version of Linux. These older systems make them vulnerable to these types of attacks.
Type of Attack: Typically non-directed, although may be targeted.
CIA Triad Affect: Confidentiality and Availability.
3 – Harming or killing a patient (Motive: Terrorism or Assassination)
As mentioned previously, ransomware can impose delays in treatment that can result in deaths, even though this is not the motive.
Harming or killing patients motivated by terrorism or a targeted assassination typically involves altering the logic of a medical device or controlling the device to create the desired effect. An example of terrorism is hacking into hospital patient monitoring systems to alter all the patient readings – to “flat-line” them all to create a panic and force the use of an alternative system or method.
An example of an assassination is what Dick Cheney was afraid of – someone hacking into his pacemaker to cause it to stop working or shock his heart to death.
Type of Attack: If Terrorism, could be non-directed. Assassination will be targeted.
CIA Triad Affect: Integrity and Availability.
4 – Using the medical device as a beachhead (Motive: Foothold to Expand Operations)
Many vendors only care about the cybersecurity of their device, focusing only on vulnerabilities that can directly affect the CIA of their medical device. Often a vulnerability in one device that may not directly affect that device can be leveraged as a beachhead to expand hacking operations by putting a sleeper cell in friendly territory. When needed, that sleeper cell can be called upon by the hackers to wreak havoc.
An example of this is an unnecessary service, such as FTP, that is running on a medical device. The service has a vulnerability that doesn’t directly affect the operation of the medical device, but could be leveraged for future attacks by providing a point inside a friendly network that an attacker can use to amass attacks from inside a perimeter.
Type of Attack: Typically non-directed, although may be targeted.
CIA Triad Affect: None.
Solutions
It’s best to move from uniformed optimism to informed realism. Medical device manufacturers are excellent at making their devices reduce diagnosis time, helping a physician, or solving a medical issue. Cybersecurity is usually not an area of expertise or a concern for a medical device manufacturer. It’s understandable to see the world through the uninformed optimism lens when there is limited awareness of what is possible from a cybersecurity attack and risk perspective.
The move to informed realism typically involves hiring the right cybersecurity experts that see the world differently, that look at the medical device through the lens of a hacker. They view the medical device not as a medical tool or aid, but as a system to exploit with the same objectives we discussed in this article. Hiring trusted, ethical hackers to proactively assess and test a medical device before it is deployed to a hostile healthcare environment is prudent and now mandated by the FDA.
Medical devices are behind the curve with cybersecurity but are slowly catching up. Thanks to the FDA, organizations like Archimedes and many security researchers, the real consequences to patient safety caused by vulnerable medical devices are starting to reach the right ears and be taken seriously.
Need help securing your medical device? Connect with me.