Protecting hospital medical equipment from attack

Out-of-date software or firmware in hospitals creates a dangerous situation where devices have vulnerabilities that can be exploited. Adam Winn, senior manager, OPSWAT writes

The challenges in protecting hospitals from cyber attacks are similar to those faced in Industrial control systems (ICS) and supervisory control and data acquisition (SCADA ) environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where the devices have vulnerabilities that can be exploited. Also, administrators are not likely to notice malware running on the device as long as nominal operation is maintained.

The end goal of those infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices but those devices often have some level of network connection to the systems that do contain patient records.

What exactly is someone likely to do after getting a foothold on the network?

 - Find patient records that can be used for identify theft or blackmail

 - Steal research data for financial gain

 - Deploy ransomware  like Cryptolocker, effectively crippling the facility unless a bribe is paid

 - Trigger system malfunctions

- Carry out a 'hit' on a specific patient

Real-world examples

Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA about the vulnerability and saw no response so he went public to put pressure on the manufacturer to fix the issue. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security falls on the users of such equipment. 

This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. This type of threat needs to be taken seriously. The real question is how can hospitals effectively protect devices such as these?

It's clear that installing antivirus software on medical equipment is impractical. Furthermore, healthcare IT is relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities and the difficulty in remotely scanning these devices, the best solution is to prevent malware from ever getting to these devices. Thankfully this challenge has already been solved in ICS and SCADA environments.

A recently profiled attack on hospitals was thought to be due to a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system. The report details that the malware was detected but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.

Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defence mechanism. Using the above example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing damage. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network.

Sanitisation and cyber infections

Hospitals and their staff are accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Defending against cyber infections, by comparison, is much easier. The medical industry isn't alone in fighting this threat – they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries. 

Simply employing an air gap doesn't guarantee security. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access. In medicine these measures consist of removing foreign material with soap and water and disinfecting with various antimicrobial agents. It's not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected. The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed 'clean' can still be disinfected to completely eradicate the possibility of a threat doing undetected.