We recently presented at the DeviceTalks conference in Boston Ma about the vulnerabilities that affect hospitals and medical devices (insulin pumps, pacemakers, etc.). The goal of our presentation wasn’t to instill fear but sometimes fear is a reasonable byproduct of the truth. The truth is that of all the networks that we test, hospital networks are by far the easiest to breach. Even more frightening is that the medical devices contained within hospital networks are equally if not more vulnerable than the networks that they are connected to. It seems that the healthcare industry has spent so much time focusing on safety that they’ve all but lost sight of security.
The culprit behind this insecurity is mostly convenience. Hospitals are generally run by healthcare experts with a limited understanding of Information Technology and an even more limited understanding of IT Security. It would be unreasonable to expect healthcare experts to also be IT security experts given the vast differences between both fields. When healthcare experts hire IT experts and IT Security experts they do it to support the needs of the hospital. Those needs are defined by the doctors, nurses, and other medical professionals tasked with running the hospital. Anything that introduces new complexity or significant changes will be slow to adopt or perhaps not adopted at all. Unfortunately, good security is the antithesis of convenience and so good security often falls by the wayside despite best efforts by IT and security personnel.
Unfortunately, in many respects the IT security industry is making the situation worse with false advertising. If antivirus solutions worked as well as they are advertised, then malware would be a thing of the past. If Intrusion Prevention Solutions worked as well as advertised, then intrusions would be a thing of the past. This misrepresentation of the capabilities provided by security solutions produces a false sense of security. We aren’t suggesting that these solutions are useless, but we are encouraging organizations to carefully test the performance and effectiveness of these solutions rather than simply trusting the word of the vendor.
After we breach a network there exists a 30-minute window of susceptibility to ejection from the network. Most malicious hackers have a similar or larger window of susceptibility. If a breach is responded to within that window, then we will likely lose access to the network and be back to square one (successful damage prevention by the client). If we are not detected before that window expires, then the chance of successful ejection from the network is close to zero. Astonishingly, the average length of time it takes for most organizations to identify a breach is 191 days. Rather than focusing on breach prevention (which is an impossibility) organizations should be focusing on breach detection and effective incident response (which is entirely attainable). An effective incident response will prevent damage.
Within about 40 minutes of breaching a hospital network our team takes inventory. This process involves identifying systems that are network connected and placing them into one of two categories. Those are the medical device category and the IT systems category. Contained within the IT systems category are things like domain controllers, switches, routers, firewalls and desktops. Contained within the medical device category are things like imaging systems, computers used to program pacemakers, insulin pumps etc. On average the systems in the medical device category run antiquated software and are easier to take control of than the IT devices. This is where security and safety intersect and become synonymous.
These medical device vulnerabilities afford attackers the ability to alter the operation of life-critical systems. More candidly, computer attackers can kill patients that depend on medical devices. The reality of medical device vulnerability is nothing new and it doesn’t seem to be getting any better. This is clearly evidenced by the ever-increasing number of medical device recalls triggered by discovered cybersecurity vulnerabilities. These vulnerabilities exist because the security of the software being deployed on medical devices is not sufficiently robust to safeguard the lives of the patients that rely on them.
More frightening is that attackers don’t need to breach hospital networks to attack medical devices. They can attack medical devices such as implants from afar using a laptop and a wireless antenna. This was first demonstrated in 2011 by security researcher Barnaby Jack. He proved the ability to wirelessly attack an insulin pump from a distance of 90 meters causing it to repeatedly deliver its maximum dose of 25 units until its full reservoir of 300 units was depleted. In simple terms Barnaby demonstrated how easily an attacker could kill someone with a keyboard and make it look like a malfunction. He also did the same thing with a pacemaker causing it to deliver a lethal 840-volt shock to its user. Similar attacks are still viable today and affect a wide variety of life supporting devices.
To solve this problem two things needs to happen. The first is that medical device manufacturers need to begin taking responsibility for the security of their devices. They need to recognize that security is in many cases a fundamental requirement of safety. They also need to begin taking a proactive approach to security rather than reactive. In our experience medical device manufacturers are unfriendly when interfacing with vulnerability researchers. They might want to reconsider and even offer bug bounties as a step in the right direction.
Hospitals also need to make some significant changes too. They need to begin to put security above convenience when it has the potential to impact patient safety. This might mean installing good password managers and enforcing strong passwords with two factor authentications, increasing security budgets, or even paying for good security training programs. Most hospitals are patient safety focused but fail to recognize that IT security and patient safety are now synonymous.