https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • IoT World Expo Austin
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • IoT World Expo Austin
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

medical device security

The Difficulty of Gauging Health Care Cybersecurity Risk

While the threat of hacked medical devices has drummed up headlines, the bigger health care cybersecurity threat is likely commodity malware.
  • Written by Brian Buntz
  • 1st May 2019

In 2016, the cybersecurity division of the U.S. Department of Homeland Security released a warning that a class of medical devices had a whopping 1,418 vulnerabilities. Admittedly, the devices in question were end-of-life versions of BD Pyxis SupplyStation health care inventory management system. But this extreme example points to the type of collision course that can occur when complex software and connectivity drive core medical device functionality. DHS reasoned that an adversary of low skill could successfully attack the aging Pyxis devices. And over the past decade, security researchers have proven dozens of medical devices, from pacemakers to infusion pumps, are at risk of a cyberattack. Austrian cybersecurity researcher Tobias Zillner, for instance, revealed that a St. Jude Medical pacemaker model produced until 2017 could be hacked using a 2000-era cell phone and the device could be incapacitated within three hours by draining the battery via a cyberattack. A firmware update was later made available to harden that device.

Critics allege the likelihood of adversaries targeting medical devices to harm patients is remote, while a satire site imagined a nation-state hacking Pyxis machines to cause narcotic withdrawal-induced violence in the United States. Meanwhile, medical device cybersecurity researchers continue to imagine health care cybersecurity threats of the future, and regulatory authorities are increasing their scrutiny of cybersecurity vulnerabilities. “Pacemakers and other types of devices could be hacked, and proofs-of-concept for attacks on them are out there, but I don’t think it is easy as headlines suggest,” said Candid Wueest, principal threat researcher at Symantec.

It’s also often not clear who would be responsible if, say, a pacemaker is infected with malware and who should make the determination for how to handle the problem.

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass, or see the IoT security speakers at the event.]

But while black hat hackers can target medical devices, they don’t appear to be a central risk. The Verizon 2018 Data Breach Investigations Report indicated the health care industry faces a higher risk of internal errors than it does external threats. Similarly, software problems generally have been the leading cause of medical device recalls for 11 consecutive years.

And while there is no clear-cut examples of a patient death or injury specifically tied to a medical device breach, the 2017 WannaCry ransomware attack served as a wake-up call for the industry, demonstrating how commodity malware can cause a real-world impact, said Leon Lerman, chief executive officer of Cynerio. “Sixty hospitals in the United Kingdom were shut down as a result of an attack that did not specifically target hospitals,” Lerman said. WannaCry ultimately affected 60 National Health Service trusts, 595 general practices, and thousands of patients, according to the BMJ. Ultimately, the malware caused nearly £100 million in damages and caused roughly 19,000 medical appointments to be cancelled.

[Internet of Things World is where healthcare companies find IoT innovation. Book your conference pass and save $350, get a free expo pass or see the health care IoT speakers at the event.]

Furthermore, the Conficker worm, first discovered in 2008, continues to plague hospitals, many of which are vulnerable thanks to their use of devices running old operating systems such as Windows XP, Windows 2000 or even Windows 95. “Armed with full self-replication capabilities, Conficker is automatically able to infect any vulnerable remote computers accessible from that machine without requiring any interaction from users,” Lerman said.

Last year, a large hospital in Europe using old PCs in conjunction with MRI machines and heart monitors was hit with Conficker, according to Wueest. “We had told them several times they should secure those devices,” Wueest said. “They said: ‘No, it’s too expensive. We’re not going to do anything because those devices aren’t connected to the internet.’” But then a consultant with an infected USB stick inadvertently loaded the decade-old Conficker worm onto the network, causing the hospital to shut it down for an entire weekend.

The problem isn’t isolated. A report from Vectra concludes many legacy systems in health care environments “lack essential cybersecurity controls” and that patching such systems is a “challenge” because they often run continually.

As with the industrial sector, which has a similar tendency to continue using aging computers with antique operating systems, the health care industry can suffer collateral damage from broader malware attacks such as Conficker and WannaCry. “A lot of devices in health care are still connected to the office network, even if they aren’t connected to the internet,” Wueest said. If malware makes it onto an aging network, whether it is ransomware or Trojans, or if the network is attacked by a denial of service attack, the impact for hospitals and clinics can be considerable.

It’s not just older systems that are at risk. The company Attivo Networks, which uses deceptive tactics to identify network threats, also observed malware on brand-new connected patient monitoring devices loading malware onto decoy devices. One of its customers, a health care company with more than 15,000 employees, discovered the problem on a segmented network, said Attivo’s Carolyn Crandall, whose de facto title is chief deception officer. “Nothing should be able to get on or off that network. The software on the patient monitoring devices came in factory installed. So here, you have an issue with the supply chain,” Crandall said.

While acknowledging this event to be “one of the more extreme examples” of a health care breach, Crandall said Attivo has documented numerous attacks on health care institutions. The people behind such breaches are often looking for personal health information or information from research labs, Crandall said. “And they are looking for the weakest link in your infrastructure to get there, whether it is a medical device or a connected laboratory microscope.”

While medical device hacking is a topic that has received a substantial amount of attention over the years, medical lab environments “come with security risks related to data tampering which could impact patient care or device operations,” Crandall added. They could give attackers access to sensitive intellectual property, or could cause chaos that leaves lab technicians at greater risk of being exposed to hazardous materials. “As such, medical lab hacking could be for the intent of nefarious actions, however, it is more likely a way to gain access to other systems,” she explained. Attivo Networks researchers haven’t detected tampering with conclusive intent to directly harm. But Crandall says an underappreciated security concern is the possibility of hackers looking for health information on celebrities or dignitaries who intend to sell or drive media interest in their diagnoses or treatment information. “We have also seen instances of unauthorized laboratory activities […] from a curious student trying to learn outside of a sanctioned curriculum,” Crandall added.

Medical devices, which often have long life cycles, can provide an on-ramp for hackers to health care networks. Traditional IT security strategies such as installing software agents to monitor the devices are impossible given prohibitions on modifying code on medical devices that haven’t been cleared by regulatory authorities.  

Some black-hat hackers prize sensitive personal health information on health care networks, which can be used for identity theft and fraud. In the past decade in the United States, many patient records have been digitized, thanks in part to the so-called “Meaningful Use” incentives from Medicare and Medicaid intended to spur the use of electronic health records. Adversaries gaining access to personal health information achieve an average payout of $20,000, according to an estimate from the World Privacy Forum. By contrast, normal identity theft is worth one-tenth as much to a hacker. “My sense is that $20,000 for a single PHI record is high,” said Andrew Howard, chief technology officer at Kudelski Security. “$20,000 for a database of PHI records I might believe, but I do believe that the PHI data is more valuable [to hackers] than just like [credit and debit] card PAN. There’s a lot of personal information in there.”

Hospitals can also be valuable ransomware targets. The first-known ransomware attack dates back to 1989, when AIDS researcher Joseph Popp, Ph.D. distributed 20,000 infected floppy disks to fellow scientists in 90 countries. After a victim installed an infected disk, the malware triggered an alert after the 90th reboot asking for $189 to be sent to a post office box in Panama for the user to regain access to computer. Since those early days, medical targets have continued to be a prime target for ransomware. And the associated ransom sums have also increased significantly.

Hancock Health, a hospital in Indiana hit with a ransomware attack via an outside vendor, paid four bitcoin to hackers in January 2018, which then was worth approximately $55,000.

Corporate espionage is another hacking motive. Last year, Symantec reported a hacking group it dubbed “Orangeworm” had used a custom backdoor known as “Trojan.Kwampirs” in an attack targeting health care providers, pharmaceutical companies and IT companies serving the health care market. The company detected the malware running on MRI and X-ray machines, which was designed to copy itself and spread across to additional endpoints. The Orangeworm group’s motive was likely corporate espionage, the Symantec report surmised.

To date, many cyberattacks hitting the health care industry have focused on the first and last elements of the so-called “CIA triad,” confidentiality (for instance, corporate espionage or stealing patient records) and availability (for instance, withholding data via a ransomware attack). Cybersecurity researchers warn of the possible threats to the second element, integrity. For instance, researchers at the Ben Gurion University Cyber Security Research Center in Israel showed the feasibility of malware leveraging deep learning to manipulate CT scans by adding fake cancer cells, or deleting real ones, to images, potentially leading to incorrect diagnoses.

While the internet is rife with headlines suggesting hackers could target individual patients with potentially lethal consequences, more traditional commodity malware continues to be a bigger threat. “If there was a case where a patient was killed by an attack on a pacemaker, we likely would have heard about it,” Wueest said. “Of course, if there was a James Bond–kind of scenario where a hacker acted like a hit man targeting a politician or someone else, it would likely be very difficult to prove it was not a battery failure — that it was actually someone hacking.”

Tags: Connected Health Care Security Features

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Pharmacy Chain Completes First Drone Prescription Delivery
  • Black Hat 2022: Sophisticated Cybercriminals, Increased Ransoms
  • Black Hat 2022: Adapting to the Growing Cyberthreat Landscape
  • Security: The Hidden Risks of Connected Devices

Roundups

View all

IoT Product Roundup: Verizon, Microshare, SmartCow and More

15th August 2022

IoT Deals & Partnerships Roundup: Nokia, Accenture and More

29th July 2022

IoT Deals & Partnerships Roundup: Nokia, SoftBank, Microsoft and More

15th July 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Events

View all

IoT World Expo Austin

2nd November 2022 - 3rd November 2022

Latest Videos

View all
Image shows a road within the Curiosity Lab at Peachtree Corners

Brandon Branham, Peachtree Corners, on Smart Cities

Peachtree Corners CTO and assistant city manager chats with IoT World Today’s Chuck Martin about what’s happening at Curiosity Labs

Image shows a Beep electric autonomous shuttle

Joe Moye, Beep, on Self-Driving Shuttles

Beep’s CEO chatted with IoT World Today’s Chuck Martin about the deployment of the company’s electric autonomous shuttles

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Is MQTT becoming the de facto standard of Industry 4.0? The impact of IoT on industrial automation protocols

18th August 2022

Building trust for a connected world

25th August 2022

Is MQTT becoming the de facto standard of Industry 4.0? The impact of IoT on industrial automation protocols

18th August 2022

Special Reports

View all

Security: The Hidden Risks of Connected Devices

11th August 2022

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🎉SPEAKER ANNOUNCEMENT ALERT!🎉 Brandon Satrom, the VP of experience engineering at @blueswireless, will speak at… twitter.com/i/web/status/1…

17th August 2022
IoTWorldToday, IoTWorldSeries

Meet business-wide goals with Equipment as a Service dlvr.it/SWn1g0 https://t.co/Ya1F8QUhpw

17th August 2022
IoTWorldToday, IoTWorldSeries

Smart Shopping Cart Startup Raises $35M dlvr.it/SWmd0Q https://t.co/qIAhJNfvDG

17th August 2022
IoTWorldToday, IoTWorldSeries

The Forrester Total Economic Impact of Lightbend Akka Platform dlvr.it/SWmcFd https://t.co/L9JSOlkiOr

17th August 2022
IoTWorldToday, IoTWorldSeries

Semtech Acquires Sierra Wireless for $1.2 Billion dlvr.it/SWmXWz https://t.co/oa2WgxyZyI

17th August 2022
IoTWorldToday, IoTWorldSeries

Robotaxi via Lyft App Launched in Las Vegas dlvr.it/SWmXT0 https://t.co/2i9bNaWRwG

17th August 2022
IoTWorldToday, IoTWorldSeries

Smart Cities Featured at IoT World in Austin dlvr.it/SWmVt7 https://t.co/I7jdnEI89w

17th August 2022
IoTWorldToday, IoTWorldSeries

📣 Join us on August 18th to explore how MQTT has been helping system integrators to overcome the challenges of hybr… twitter.com/i/web/status/1…

16th August 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X