Medical Device Security
By Sarah Elkins
For The Record
Vol. 30 No. 8 P. 20
Hackers have a new target, but the goal is still the same.
It's a plot right out of Hollywood: Nefarious hackers gain access to a world leader's pacemaker and threaten to assassinate him unless $10 million are wired to an offshore account. It's a vaguely familiar plot, isn't it? TV thriller Homeland had a similar episode in 2012. Or perhaps you have a faint memory of headlines from 2007 when then Vice President Dick Cheney, motivated by concerns that his pacemaker could be hacked, had its wireless capability disabled.
Cheney's pacemaker was never hacked, but the fact remains that it could have been. And while the human risk of medical device vulnerability has, so far, been relegated to the screen, it is not out of the realm of possibility. Increasingly, security experts warn that medical devices are particularly vulnerable to attack.
As evidenced by headlines such as "Medical Devices Are the Next Security Nightmare," "When Medical Devices Get Hacked, Hospitals Often Don't Know It," and "Hackers Pose Danger to Patients," the warning bells are being sounded. Still, it's tough to discern the real risks.
Brian Wells, chief technology officer for cybersecurity company Merlin International, cites a study conducted last year in which seven pacemakers from four vendors were discovered to have more than 8,000 hackable vulnerabilities.
"The researchers discovered unencrypted patient data stored on two pacemakers, with one that included names, phone numbers, medical information, and Social Security numbers. All of the pacemakers had outdated software, with known vulnerabilities," he says.
This points to the real concern with medical device vulnerability. The game is still about the data. While it makes for a more dramatic movie plot, hackers aren't going after individuals or specific devices—at least not yet.
"The device isn't necessarily what they want—it's what they can find on the network once they get in," says Kevin Meany, cofounder and chief technology officer for Versatile, an IT provider for health care and other sectors. "Medical records are a huge commodity on the dark web."
Lesley Berkeyheiser, a reviewer for the Electronic Healthcare Network Accreditation Commission (EHNAC) and HITRUST practitioner at N-tegrity Solutions Group, agrees. "The main reason is still money. PHI [protected health information] on the black market is still worth a lot of money. A cybercriminal is going for bigger money and bigger population issues," she says.
Why Medical Devices?
Medical devices are more vulnerable to compromise because of their inability to be updated. "These are devices that don't have agents. You can't install antivirus software on them. You can't put antimalware on them," Meany says.
For Jeff Schmidt, vice president and chief cybersecurity innovator for Columbus Collaboratory, implantable devices epitomize the inherent weaknesses of these connected, inaccessible medical devices.
"It's a device you probably don't have physical access to, and they're not designed by software engineers. They're not designed by people who think about remote patching and upgradability," he says. "If you do find a flaw, what do you do? Require everyone to go to the hospital and have surgery?"
Of course, some devices are more vulnerable than others. Wells points to vendor-created devices that do not run on standard operating systems such as Windows, Mac, or Linux. When asked how organizations know nonstandard vendors are updating their devices, he bluntly answers, "Well, they don't."
Schmidt agrees, noting that the greatest positive impact on information security has been Microsoft Windows' auto-update. "The ability for your operating system to update itself has had such a gigantic positive impact on security," he says.
According to the American Hospital Association, "Software companies have generally prioritized creating a systematic approach for sharing timely updates and providing guidance on how to complete them. Similar approaches have yet to be deployed by medical device manufacturers."
In short, the same principle of automatic patching must be required of medical device manufacturers. "In 2018, nobody should be buying anything that they're going to deploy remotely that is not remotely updatable in some sane way," says Schmidt, who recommends organizations use their buying power in order to positively influence responsible security development by manufacturers. He points to the Mayo Clinic, which requires security testing of all medical devices prior to purchase.
How It's Happening
The good news, if it can be called such, is there are no new tricks up the hackers' sleeves. Medical devices are compromised in the same ways networks have traditionally been breached.
As Wells puts it, "The bad guys use the usual approaches—open firewall ports, phishing, etc—to get into the network, and then they move on to the devices."
Schmidt echoes Wells, "They're killing us with phishing. It's unreasonable that we expect Mabel in accounting to be able to distinguish between a malicious and nonmalicious e-mail attachment. That's a failure of my industry that we haven't been able to mitigate."
Meany illustrates how easily these compromises can occur. Recently, he took his 14-year-old for a check-up. While he was in the physician waiting room, he decided to "poke around on the wireless" from his cell phone. He wasn't surprised by what he found.
"Basically, they had too many SSIDs [service site identifiers] advertised out in their wireless space." What Meany discovered was several printers on the network, a known flaw whereby printers advertise themselves on the network for direct printing.
"Vendors do that to make it easy for users, but it's not secure," he continues, "Once you get past that perimeter, it's probably pretty wide open."
Conceivably, Meany could have breached a printer and probed the practice's entire network looking for valuable data. While most people have learned the importance of maintaining strong passwords on their computers, many of the devices operating on the same networks do not have the same level of password protection—if any. Vulnerable devices on a flat, unsegmented network have become the keys to the kingdom.
Schmidt explains, "Devices [can't] have default passwords. How many "username: admin, password: admins" are there? How many shared credentials are there? You know there's one video camera system that 20 people need to get access to and they all use the same user name and password."
Medical Devices and IoT
Schmidt, Meany, and Wells all mention decidedly nonmedical devices in their descriptions of how compromises occur. From printers and security cameras to internet-enabled thermometers and sprinkler systems, the issue, at least for security experts, is less about medical devices than it is about devices in general, or things, as in the Internet of Things (IoT).
Berkeyheiser highlights this difficulty: "It gets really squirrely. Would you consider my phone a medical device? It depends. What if I have the Kardia Mobile app on my phone?"
With the rapid expansion of IoT, looking narrowly at the vulnerability of any subset of devices, medical or otherwise, can be limiting. Yes, the devices themselves are vulnerable largely due to their inability to be patched or updated, but their connectivity on open, flat networks is, perhaps, the bigger and more easily remedied problem.
"Take an insulin pump," Berkeyheiser says. "If the data on it feed to the phone which can feed to the laptop which can feed to the doctor's office, you can see that you follow the flow of the data." The vulnerability of the insulin pump itself is one thing but the vulnerability of the network is another level altogether, she adds.
Each of the experts interviewed brought up one solution that every health care entity should be employing: network segmentation.
"Health care organizations should consider the implementation of a comprehensive network segmentation architecture to create an entirely separate network environment solely designated for medical devices," Wells says. "If attackers compromise a device, there's only so much harm they can do because the device is 'walled off' from everything else within the enterprise."
Schmidt breaks it down: "There is no reason why Mabel's desktop in accounting should be able to talk to the security camera or the thermostat or vice versa. There's no reason the video camera, once it gets hacked up, can go talk to Mabel's machine in accounting. Yet, in many enterprises, that is how it is. Everything is flat."
"Perimeter protection isn't enough," Meany says. "We have to bring it inside."
Encryption is key. "For segmentation to work, you need strong encryption—even better than what we use for phones—to close everything off," Wells says.
Spotting Hacked Devices
Once a bad actor has penetrated the network and begun wandering around looking for valuable data, the trick becomes figuring out the breach has occurred and shutting it down. Meany describes why discovery may be difficult without fingerprinting.
"The network has become a living organism," he says. Therefore, it's necessary to know the baseline behavior of each device on the network. An ultrasound machine behaves in a certain way. A heart monitor behaves uniquely as well. By establishing a "fingerprint" for each device, Meany monitors network behavior.
He describes a possible scenario: "One day, the heart monitor starts talking to other servers or going out to the internet. It never does that. Now I'm seeing behavior that doesn't match the fingerprint. I can alert on those and shut it down immediately."
Schmidt adds, "Net flow on human networks is dominated by the randomness of human beings. Human beings aren't super predictable, so they have very strange network traffic. But if you look at a medical device, refrigerator, thermostat, any kind of device plugged into a network, they're very, very predictable."
Wells warns that bad behavior on the network may not always be that easy to identify. "Good hackers generally don't signal what they're doing—they take pride in staying stealthy. To them, that's the art of what they do," he says.
Meany does acknowledge, "[Hackers] can sit dormant for a long time, like little agents waiting for commands." The trick is to watch the network; eventually you will see activity, he notes.
As an EHNAC reviewer, Berkeyheiser and her cohorts emphasize the importance of voluntary accreditation programs. "We truly believe that setting forth best practices across privacy and security, following the flow of the data, implementing the lifecycle, constantly using risk-based approaches to establish where issues are and constantly mitigating them, all those things in a program for accreditation or certification will really help the industry," she says.
Berkeyheiser also points to work the ONC has done in pushing "continuous quality improvement and the adoption of product lifecycle." In January, the ONC announced the formation of TEFCA (Trusted Exchange Framework and Common Agreement), which plans to release a more detailed outline of voluntary guidelines for best practice standards before the end of the year. The guidelines will include language about device lifecycle.
"Some worry that health care won't take medical device vulnerability seriously until a cataclysmic event occurs," Berkeyheiser says.
For Meany, whose job it is to prevent such an event, the answer for his clients is "near-zero trust levels of security," adding, "That is unfortunately where this world is taking us."
"We need to think about security in advance," Schmidt says. "That's something security people always say and we never do. If someone is sitting down to design a new thingamajigger, they should think about what the risk profile is, what the threat model is, how we need to secure this thing, who is going to need to access it and under what conditions, [and] how are we going to update and patch it in advance."
Berkeyheieser would argue much of the advance work has been done; it's only a matter of applying what's already been learned. "I go back to my basic HIPAA security from 2005 and 2006 when it was implemented. It's still the same," she says. "It doesn't matter if it's HIPAA security for doctors and hospitals or if it's medical device manufacturers. The organization needs to adopt appropriate technical controls."
— Sarah Elkins is a freelance writer based in West Virginia.