The Difficulty of Gauging Health Care Cybersecurity Risk
In 2016, the cybersecurity division of the U.S. Department of Homeland Security released a warning that a class of medical devices had a whopping 1,418 vulnerabilities. Admittedly, the devices in question were end-of-life versions of BD Pyxis SupplyStation health care inventory management system. But this extreme example points to the type of collision course that can occur when complex software and connectivity drive core medical device functionality. DHS reasoned that an adversary of low skill could successfully attack the aging Pyxis devices. And over the past decade, security researchers have proven dozens of medical devices, from pacemakers to infusion pumps, are at risk of a cyberattack. Austrian cybersecurity researcher Tobias Zillner, for instance, revealed that a St. Jude Medical pacemaker model produced until 2017 could be hacked using a 2000-era cell phone and the device could be incapacitated within three hours by draining the battery via a cyberattack. A firmware update was later made available to harden that device.
Critics allege the likelihood of adversaries targeting medical devices to harm patients is remote, while a satire site imagined a nation-state hacking Pyxis machines to cause narcotic withdrawal-induced violence in the United States. Meanwhile, medical device cybersecurity researchers continue to imagine health care cybersecurity threats of the future, and regulatory authorities are increasing their scrutiny of cybersecurity vulnerabilities. “Pacemakers and other types of devices could be hacked, and proofs-of-concept for attacks on them are out there, but I don’t think it is easy as headlines suggest,” said Candid Wueest, principal threat researcher at Symantec.
It’s also often not clear who would be responsible if, say, a pacemaker is infected with malware and who should make the determination for how to handle the problem.
But while black hat hackers can target medical devices, they don’t appear to be a central risk. The Verizon 2018 Data Breach Investigations Report indicated the health care industry faces a higher risk of internal errors than it does external threats. Similarly, software problems generally have been the leading cause of medical device recalls for 11 consecutive years.
And while there is no clear-cut examples of a patient death or injury specifically tied to a medical device breach, the 2017 WannaCry ransomware attack served as a wake-up call for the industry, demonstrating how commodity malware can cause a real-world impact, said Leon Lerman, chief executive officer of Cynerio. “Sixty hospitals in the United Kingdom were shut down as a result of an attack that did not specifically target hospitals,” Lerman said. WannaCry ultimately affected 60 National Health Service trusts, 595 general practices, and thousands of patients, according to the BMJ. Ultimately, the malware caused nearly £100 million in damages and caused roughly 19,000 medical appointments to be cancelled.
Furthermore, the Conficker worm, first discovered in 2008, continues to plague hospitals, many of which are vulnerable thanks to their use of devices running old operating systems such as Windows XP, Windows 2000 or even Windows 95. “Armed with full self-replication capabilities, Conficker is automatically able to infect any vulnerable remote computers accessible from that machine without requiring any interaction from users,” Lerman said.
Last year, a large hospital in Europe using old PCs in conjunction with MRI machines and heart monitors was hit with Conficker, according to Wueest. “We had told them several times they should secure those devices,” Wueest said. “They said: ‘No, it’s too expensive. We’re not going to do anything because those devices aren’t connected to the internet.’” But then a consultant with an infected USB stick inadvertently loaded the decade-old Conficker worm onto the network, causing the hospital to shut it down for an entire weekend.
The problem isn’t isolated. A report from Vectra concludes many legacy systems in health care environments “lack essential cybersecurity controls” and that patching such systems is a “challenge” because they often run continually.
As with the industrial sector, which has a similar tendency to continue using aging computers with antique operating systems, the health care industry can suffer collateral damage from broader malware attacks such as Conficker and WannaCry. “A lot of devices in health care are still connected to the office network, even if they aren’t connected to the internet,” Wueest said. If malware makes it onto an aging network, whether it is ransomware or Trojans, or if the network is attacked by a denial of service attack, the impact for hospitals and clinics can be considerable.
It’s not just older systems that are at risk. The company Attivo Networks, which uses deceptive tactics to identify network threats, also observed malware on brand-new connected patient monitoring devices loading malware onto decoy devices. One of its customers, a health care company with more than 15,000 employees, discovered the problem on a segmented network, said Attivo’s Carolyn Crandall, whose de facto title is chief deception officer. “Nothing should be able to get on or off that network. The software on the patient monitoring devices came in factory installed. So here, you have an issue with the supply chain,” Crandall said.
While acknowledging this event to be “one of the more extreme examples” of a health care breach, Crandall said Attivo has documented numerous attacks on health care institutions. The people behind such breaches are often looking for personal health information or information from research labs, Crandall said. “And they are looking for the weakest link in your infrastructure to get there, whether it is a medical device or a connected laboratory microscope.”
While medical device hacking is a topic that has received a substantial amount of attention over the years, medical lab environments “come with security risks related to data tampering which could impact patient care or device operations,” Crandall added. They could give attackers access to sensitive intellectual property, or could cause chaos that leaves lab technicians at greater risk of being exposed to hazardous materials. “As such, medical lab hacking could be for the intent of nefarious actions, however, it is more likely a way to gain access to other systems,” she explained. Attivo Networks researchers haven’t detected tampering with conclusive intent to directly harm. But Crandall says an underappreciated security concern is the possibility of hackers looking for health information on celebrities or dignitaries who intend to sell or drive media interest in their diagnoses or treatment information. “We have also seen instances of unauthorized laboratory activities […] from a curious student trying to learn outside of a sanctioned curriculum,” Crandall added.
Medical devices, which often have long life cycles, can provide an on-ramp for hackers to health care networks. Traditional IT security strategies such as installing software agents to monitor the devices are impossible given prohibitions on modifying code on medical devices that haven’t been cleared by regulatory authorities.
Some black-hat hackers prize sensitive personal health information on health care networks, which can be used for identity theft and fraud. In the past decade in the United States, many patient records have been digitized, thanks in part to the so-called “Meaningful Use” incentives from Medicare and Medicaid intended to spur the use of electronic health records. Adversaries gaining access to personal health information achieve an average payout of $20,000, according to an estimate from the World Privacy Forum. By contrast, normal identity theft is worth one-tenth as much to a hacker. “My sense is that $20,000 for a single PHI record is high,” said Andrew Howard, chief technology officer at Kudelski Security. “$20,000 for a database of PHI records I might believe, but I do believe that the PHI data is more valuable [to hackers] than just like [credit and debit] card PAN. There’s a lot of personal information in there.”
Hospitals can also be valuable ransomware targets. The first-known ransomware attack dates back to 1989, when AIDS researcher Joseph Popp, Ph.D. distributed 20,000 infected floppy disks to fellow scientists in 90 countries. After a victim installed an infected disk, the malware triggered an alert after the 90th reboot asking for $189 to be sent to a post office box in Panama for the user to regain access to computer. Since those early days, medical targets have continued to be a prime target for ransomware. And the associated ransom sums have also increased significantly.
Hancock Health, a hospital in Indiana hit with a ransomware attack via an outside vendor, paid four bitcoin to hackers in January 2018, which then was worth approximately $55,000.
Corporate espionage is another hacking motive. Last year, Symantec reported a hacking group it dubbed “Orangeworm” had used a custom backdoor known as “Trojan.Kwampirs” in an attack targeting health care providers, pharmaceutical companies and IT companies serving the health care market. The company detected the malware running on MRI and X-ray machines, which was designed to copy itself and spread across to additional endpoints. The Orangeworm group’s motive was likely corporate espionage, the Symantec report surmised.
To date, many cyberattacks hitting the health care industry have focused on the first and last elements of the so-called “CIA triad,” confidentiality (for instance, corporate espionage or stealing patient records) and availability (for instance, withholding data via a ransomware attack). Cybersecurity researchers warn of the possible threats to the second element, integrity. For instance, researchers at the Ben Gurion University Cyber Security Research Center in Israel showed the feasibility of malware leveraging deep learning to manipulate CT scans by adding fake cancer cells, or deleting real ones, to images, potentially leading to incorrect diagnoses.
While the internet is rife with headlines suggesting hackers could target individual patients with potentially lethal consequences, more traditional commodity malware continues to be a bigger threat. “If there was a case where a patient was killed by an attack on a pacemaker, we likely would have heard about it,” Wueest said. “Of course, if there was a James Bond–kind of scenario where a hacker acted like a hit man targeting a politician or someone else, it would likely be very difficult to prove it was not a battery failure — that it was actually someone hacking.”