Vulnerabilities in healthcare devices show up woeful lack of security
Healthcare sector "10 to 15 years behind" in security according to expert
Healthcare security is lagging behind the rest of the security industry and will reach “breaking point” soon if action is not taken, according to a security advocate.
Scott Erven, associate director at the consulting firm Protiviti, was at Kaspersky's Security Analyst Summit and told security blog Threatpost, that the industry is “10 to 15 years” behind the retail sector when it comes to protecting devices from security threats and the breaking point will come “sooner” rather than later.
Erven has spent 15 years looking at security, with a focus on medical devices and said that a simple search on Internet of Things search engine Shodan for anaesthesia revealed a host of systems exposed to the wider internet with Server Message Block (SMB) open. This meant that details such as host names and other identifiable information was leaking out and potentially into the hands of hackers.
Systems, such as cardiology systems, infusion systems, and MRI machines, all showed vulnerabilities with Erven and fellow healthcare researcher Shawn Merdinger discovering 30 flaws in total. Some involved an old remote code execution flaw form 2008 (MS08-067), which could enable hackers to gain access to a network. The same flaw was used to devastating effect by the Conficker worm.
“Prior to devices entering the market, there's no validation of security controls,” said Erven. He added that from studies on honeypots set by security researchers that hackers were actively involved in research vulnerabilities in healthcare systems.
Steve Ward, senior director at iSIGHT Partners, told SCMagazineUK.com that although he is uncertain about how representative those findings are, medical networks and medical devices are often ill-equipped to deal with the threat faced by targeted and widespread adversary operations.
“Inability to access patient files, theft of patient data, network denial of service, and editing of healthcare data could all pose a significant threat to services,” he said.
He said that ransomware attacks, such as the one carried out on the Hollywood Presbyterian Medical Center, and the large amount of money demanded, meant that hackers would have especially targeted such organisations as the victim, “would be likely to pay the large ransom to access life-saving computer services and files. As a rule, network asset segmentation can help enterprises distribute the value of a company's assets, thereby mitigating overall risk."
Cesare Garlati, chief security strategist of prpl Foundation, told SCMagazineUK.com that security around medical devices and IoT in general is “fundamentally broken”.
“This isn't just about data breaches and reputational damage anymore – lives are quite literally on the line. Most vendors operate under the misconception that security-by-obscurity will do and to make matters worse, the software in so many embedded devices contains a potentially fatal original sin – it's not signed. Most significantly, this lack of separation on the device opens up a huge array of lateral avenues for attackers,” he said.
Jonathan Sander, VP of product strategy at Lieberman Software, told SCMagazineUK.com that the security vulnerabilities found in medical devices could lead to someone's death in the same way that walking on the pavement could lead to your death if a driver decided to mount the curb and aim for you.
“Most breaches and exploits happen for some reason. Bad guys infect your machine with Cryptowall to blackmail you, but if they kill you with a faulty medical device who would pay them? Of course, maybe someone is paying them to kill you or they are just a psychopath entertaining themselves. These are hardly likely, but not impossible."
Jens Monrad, consulting systems engineer at FireEye, told SC that while he had not seen any examples of a vulnerable healthcare system being exploited, leading to the death of someone, it is possible that in the future we might see this.
“This can become a realistic scenario because we do see that more and more critical infrastructure is being directly connected to the Internet due to availability, limited on-site resources, etc.”
“Traditionally the healthcare industry has been a target for cyber-criminals trying to steal PII (Personal Identifiable Information) and healthcare records, but in the future we might also see attacks on equipment, with potentially fatal outcomes,” he warned.