Hospitals should try to keep their electronic systems as free from infection as their operating theatres, says Adam Winn.
The challenges in protecting hospitals from cyber attacks are very similar to those faced in industrial control system and SCADA environments: the equipment used in hospitals isn’t user serviceable and can therefore often be running out-of-date software or firmware. This creates a dangerous situation where devices have known vulnerabilities that can be easily exploited by malicious ‘bad actors’, and where administrators are not likely to notice malware as long as nominal operation is maintained.The end goal of attempting to infect a medical device is to use it as an entry and pivot point in the network. Devices themselves are unlikely to contain valuable patient records, but they often have some level of network connection to systems that do.
What exactly is a bad actor likely to do after getting a foothold on the network? They might move laterally to find patient records that can be used for identity theft and blackmail, perhaps steal research data for financial gain, or deploy ransomware such as Cryptolocker, which is capable of effectively crippling the facility unless a bribe is paid. They might trigger widespread system malfunctions as an act of terrorism, or carry out a ‘hit’ on a specific patient.
Of these five actions, the first three are motivated strictly by financial gain, and this has been the extent of observed attacks to date. The fourth seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defence facilities.
The fifth hasn’t been detected yet, but that doesn’t exclude the possibility that it has happened. A ‘silent assassination’ carried out using malware would be very hard to trace back to the attacker, and could even be sold as a service.
Security researcher Billy Rios recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient.
When Rios received no response after notifying the US Department of Homeland Security and Food & Drug Administration he went public to put pressure on the manufacturer to fix the issue.
There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals protect devices like these effectively?
Installing anti-virus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT users are relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning devices, the best solution is simply to prevent malware from ever reaching them in the first place. Thankfully this is a challenge that has already been solved in ICS and SCADA environments.
In a recently profiled cyber attack on hospitals, one of the infection vectors was thought to be a technician, who was using a PC with direct access to a picture archive and communication system (PACS), visiting a compromised website. It’s reported that the malware was detected, but not before it infected the PACS. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.
Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn’t they share protection mechanisms? Critical-infrastructure providers often make use of air-gapped networks as a defence mechanism. Taking the above story as an example, the PC with a web browser and Internet access should not have also had access to a PACS. This would have stopped the infection from doing any damage at all. If the technician needed to download something from the Internet and transfer it to a PACS then it would have to be transferred on to the air-gapped network.
Preventing cyber infection can be compared to sanitising an operating theatre. The medical industry isn’t alone in fighting this threat; they don’t have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.