You would think that medical devices, which aid in sustaining health and wellness on many levels, would be focused on security to some extent, right? Well thinking it and it being a reality apparently are not two peas in the same pod. Despite numerous outcries and public demonstrations from cyber security specialists and researchers to medical equipment vendors, and even to the FDA, which is responsible for regulating medical devices, security of these devices seems to not even be on the minds of their developers.
In a rather surprising article detailing the works of Billy Rios and other security researchers working with the Mayo Clinic, the truth about the security of medical devices is rather disturbing. To compound these concerns, detailed reports and research investigations were transmitted to the vendors as well as the FDA – yet not much has been done in the way of improving the security of devices. It seems that vendors of the equipment are pointing their fingers at network perimeter defenses and appliances, such as firewalls and respective network gateways.
Further, the article states that vendors responded with a statement saying that the security of the devices is only a layer on their initial defense line. While there is some validity to this, layered security is better than solely relying on a network’s perimeter defense. The fact that these security concerns are seemingly not being taken seriously is a tad unsettling as well. There are numerous researchers raising awareness of this and going public to gain more exposure and put pressure on manufacturers.
The take-away that the Mayo Clinic had from this experience was a fresh set of security requirements for its medical device suppliers. The take-away that Rios got was the realization of the severity of the issue and the seeming lack of interest from vendors. In a quote from an article posted by The Guardian, Suzanne Schwartz, an FDA director responsible for cyber security partnerships, stated that the presented case study illustrated a “gap in the ecosystem.” Rios knew that the Mayo Clinic was one of very few entities that had a large enough presence to really put their foot down, but the number of smaller entities that didn’t have as much pull posed an issue and a major concern.
Many live demos have been presented by researchers at varying events. Rios and Jonathan Butts performed a hack at Black Hat, first warning those with pacemakers to exit the room before demonstrating the ability to shutdown these down remotely. Barnaby Jack performed an attack on wireless insulin pumps in Miami at the Hacker Halted conference back in 2011. In the same article there is a reference to a 2008 academic research where researchers demonstrated their ability to intercept medical information from implantable cardiac devices and pacemakers and cause them to turn off or issue life-threatening electrical shocks.
Now don’t get me wrong, I am not against these devices for as the vendors have mentioned, the good outweighs the bad. The issue though, is for how long? What would it take for a terrible and malicious threat actor to spring up and issue a kill command to these devices?
I bring it up this way because in the article posted by Bloomberg detailing Rios’s work and such, his work led TrapX Security to conduct a test. They installed software in more than 60 hospitals that traced medical device hacks. They also created virtual replicas of these devices and installed them, appearing as though they were online and running. During a 6-month period, TrapX concluded that all of the hospitals contained medical devices that had been infected with malware. Through spear phishing hospital staff and luring them into opening malicious emails, hospital computers leaked malicious infections that spread throughout the network. The computers themselves had antivirus that ended up catching the virus in the long run but the medical equipment itself had no defense.
Gellman, L. (August 20, 2018). The Fight to Secure Vulnerable Medical Devices From Hackers. Retrieved from http://nymag.com/selectall/2018/08/insecure-medical-devices-vulnerable-to-malicious-hacking.html
Goodin, D. (October 27, 2011). Insulin pump hack delivers fatal dosage over the air. Retrieved from https://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/
Hern, A. (August 9, 2018). Hackable implanted medical devices could cause deaths, researchers say. Retrieved from https://www.theguardian.com/technology/2018/aug/09/implanted-medical-devices-hacking-risks-medtronic
Reel, M. and Robertson, J. (November 2015). Hack the Hospital Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers.Retrieved from https://www.bloomberg.com/features/2015-hospital-hack/