At Risk: Medical Device Cybersecurity Vulnerabilities Expose Patients to Life-threatening Consequences
A foreign political leader had a heart attack during a visit. He’s recuperating at a hospital, connected to a drug infusion pump. A malicious threat actor connects to the hospital network undetected. A monitoring, alerting, and incident response system is not in place. This means that the IT team is not alerted when the threat actor triggers the infusion pump to overdose the foreign leader with dobutamine when hospital staff members have their backs turned. An innocent person dies, the hospital suffers irreparable damage to its reputation and a political crisis gets triggered.
In today’s connected environment, healthcare cybersecurity is no longer fiction, but a very real possibility the healthcare sector needs to address. Last year, the FDA issued an alert that a large, unknown number of medical devices running the IPNet software stack, were vulnerable to cyber-attacks. The devices mentioned include drug infusion pumps, pacemakers, and other medical hardware keeping individuals alive.
The fear and concern surrounding medical device hacking are justified. But what can you do about this? The first step is to drill down into the details.
What medical devices can be hacked? Which ones have been, and what were the real-life consequences of hacking medical devices? What attack vectors did the hackers use? Understanding these factors is the first step toward building resilient medical device infrastructure.
Medical Device Cybersecurity
Risk level: High
Attack vectors: RF commands, on-device vulnerabilities
Viable pacemaker hacks have existed for more than a decade. In 2008, researchers at the US Medical Device Security Center found that certain pacemaker brands were vulnerable to RF signal hijacking. Commands are sent to pacemakers over radio waves to program their normal functions. In some models, however, the radio communication is unencrypted. If a threat actor gets within range of a target, they could send a command via RF to either turn off the pacemaker or deliver a shock, triggering cardiac arrest.
Radio command hijacking is relatively simple to address. Manufacturers need to ensure that RF commands to pacemakers are sent across encrypted channels. On-device malware is a greater threat. In 2017, the FDA issued a recall order for nearly 500,000 pacemakers due to security vulnerabilities.
In a presentation at the 2018 Black Hat security conference, researchers demonstrated a way to exploit firmware vulnerabilities on certain pacemaker models, as well as hacking a system used to program pacemakers.
While no deaths have been reported yet, pacemakers are a very real vector for targeted attacks on individuals, with potentially lethal consequences.
Risk level: High
Attack vectors: On-device exploits
In 2017, the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) pointed out several firmware vulnerabilities affecting a number of drug infusion pumps.
The ICS-CERT researchers identified hardcoded credentials for the wireless network configuration and poor access control as two of the more glaring risks. Even if an ethernet connection is active, the at-risk pumps will use hardcoded credentials to establish a wireless connection. Moreover, if the FTP server on the pump has been set up, FTP connections do not require credentials to initialize. Worse still, these pumps store credentials on their configuration file, making them visible if the pump is connected to an external network.
If exploited, these vulnerabilities could allow a remote threat actor to wirelessly manipulate both the communications and therapeutic modules of the infusion pump models. What this means is that threat actors can shut down monitoring and alerts on infusion pumps—critical for patients in an unstable condition. Or worse yet, they could manipulate the therapeutic module to overdose patients.
At DEFCON 2017, security researchers demonstrated a man-in-the-middle hack for a different set of security pumps from those flagged by ICS-CERT. They were able to gain access remotely, allowing them to potentially alter dosage levels to dangerous effect.
Risk level: Very High
Attack vectors: Embedded medical devices
Doing physical harm to patients isn’t the only reason why threat actors hack medical devices. Because of the relative lack of hospital cybersecurity measures in place, medical devices are often the weakest link in a hospital network.
During a data breach incident, gaining access to a medical device isn’t the end-goal. Rather, easily-compromised medical devices give threat actors an entry point into the network, allowing them to steal data from other locations. On hospital networks that don’t rigorously scan for connected devices, threat actors can connect wirelessly to medical devices when on-premise. Fully remote attacks often use phishing as a starting point instead.
Many devices are embedded systems, running legacy OSs with known, unpatched vulnerabilities. This makes them an ideal attack surface for threat actors who are interested in accessing and selling medical records. On the black market, medical records are worth over 10 times as much as credit card information. This makes medical records an ideal target for cybercriminals looking to profit off of stolen information.
Numerous medical record data breach incidents have been reported over the past few years. In just the first half of 2019, hackers compromised more than 28 million medical devices.
Risk level: low-medium
Attack vectors: MITM attacks
Since 2001, when a New York doctor performed the world’s first robot telesurgery on a patient in France, surgical robots have been seen as a way to address the shortage of surgical experts in certain parts of the world. Early telesurgery experiments took place over dedicated fiber connections. This ensured the stability of the connection but also made it very difficult for threat actors to hack communications.
Newer, practical telesurgery equipment is designed to work over more conventional channels, with some telesurgery endpoints connected over WiFi, making it far easier to set up telesurgery operations in remote areas. However, it exponentially increases the risk of security incidents.
In 2015, researchers at the University of Washington successfully hacked a telesurgery robot using a man-in-the-middle attack, and were able to manipulate the commands sent to it. Wireless telesurgery endpoints are especially vulnerable to attacks. While telesurgery attacks aren’t a major in the here and now, the risk of a serious incident increases as the telesurgery market grows year by year.
Conclusion: Hospitals need to enhance their security preparedness immediately.
Looking at existing security vulnerabilities on medical devices, what’s most evident is that neither device manufacturers nor hospitals are paying nearly as much attention as they should to cybersecurity. While real-life attacks have (so far) been limited to medical data breaches, a large number of medical devices today are extremely vulnerable to wireless cyber-attacks. If hospitals don’t do more to change their security posture, it’s only a matter of time before catastrophe strikes.