TrapX, a security company that specializes in medical device attacks, outlined how these attacks occur in a report titled “Anatomy of an Attack: MedJack” in May of 2015. In this report several case studies are examined in detail. In the first case study, malware was inserted on a blood gas analyzer.
These analyzers were used in critical care units, in surgery and in post anesthesia care units, so there were several areas of the network attached to these machines. In this particular case the hospital had a strong suite of cyber defense products including strong firewalls, intrusion detection systems and a highly trained staff, but hackers were still able to access the network via the weak link of the blood gas analyzers. Eventually a breach was found through which data was being ex-filtrated to a location thought to be in Europe. Furthermore, it was determined that the data flowing through the blood gas analyzer was unencrypted and was thus susceptible to manipulation, either inadvertently or on purpose.
PACS SYSTEM ATTACK
In the next study, an attack that used the PACS (picture and archive communication system) was studied. The PACS system was used by the radiology department to store images from a variety of sources such as x-ray machines, CT scanners, MRI scanners and ultrasound machines. The data on this system is accessed not only by hospital employees, but also by doctors in their individual offices. Malware was found on this system that was accessing medical data and ex-filtrating it to a location in China. The source of the malware was traced to an end user in the hospital who went to a malicious website on a browser which used a java exploit to plant the malware on the hospital system. The hospital’s cyber defense software did detect and remove it, but not before it had spread to the PACS, which was off limits to the protective program.
It’s obvious from looking at this problem that it cannot continue to be ignored. No reports indicate that anyone has been harmed by a hacked medical device yet, but it is a possibility. However, the theft of medical information is occurring right now, possibly in organizations that have no idea that it is happening. What can be done to stop these hackers?
RECOMMENDATIONS
A partial list of recommendations:
- Review and update all contracts with medical equipment suppliers. Must be specific language included about checking for malware on the equipment,policies for secure and prompt updates, and the ability to set passwords in house. Updates should be done in a timely manner and should use a security network and use digitally signed software.
- Consider that all of your current medical devices are likely infected and work with manufacturers to decontaminate or replace these devices.
- Access to medical devices should be restricted as much as possible. All unnecessary ports and services should be disabled.
- Security of the hospital network should be evaluated in it’s entirety. Educate all employees of the need to avoid using USB keys and being security conscious at all times.
THE FUTURE
For implanted devices, there is a new prototype of “firewall” that monitors all communication to and from wireless devices to spot unauthorized access and then warns the user or jams the signal. Researchers at Rice University, in conjunction with the security company RSA are working on a system which will only update the implanted device when a wand that is held near the patient, records the patient’s heartbeat and compares it with a signal from the implanted device. If they match, the update is allowed to continue. The signal is encrypted both ways so that it can’t easily be hijacked during the exchange.
With a concerted effort to get health care information digitized and into databases the threats of that information being accessed for nefarious purposes will only continue to rise. The news media is currently focused on sensational accounts of intravenous or insulin pumps being taken over by hackers and programmed to give an over or underdose resulting in serious injury or death. While these types of attacks are certainly possible, the commandeering of the operating systems of medical equipment for the purposes of obtaining health care related information is happening right now. The time to plan for these hacks is right now.
The important thing to remember is that security, like quality, is not a function of just one department in the organization, but rather everyone from the CEO to volunteers.
Bio:
Jeff Harris is a Pharmacist with over 25 years of leadership experience in hospital, retail, and home health environments. Due to a spinal cord injury, he is currently on long term disability. Jeff is passionate about patient safety, risk management and cybersecurity issues in healthcare. He continues to research and write about improving healthcare on a pro-bono basis.