Criminals leverage medical devices for targeted attacks, says Dale Nordenberg of the Medical Device Innovation, Safety and Security Consortium. Karen Epper Hoffman reports.
Last December, the popular Showtime series Homeland featured a surprising plot twist where terrorists wirelessly hijacked the fictional vice president’s pacemaker and delivered enough electric shocks to kill him. Was this turn of events unlikely? Maybe. But not implausible.
Indeed, common medical devices – such as pacemakers and defibrillators, as well as other kinds of networked medical equipment used by hospitals – are subject to potential security breaches, either by targeted attack or, more likely, by falling prey to routine malware.
“The threat is omnipresent,” says Dale Nordenberg, co-founder and executive director of the nonprofit Medical Device Innovation, Safety and Security Consortium (MDISS). “We must assume that nearly every device is hackable. The vast majority are vulnerable to malware. Many are vulnerable through poor password management practices.”
MDISS was launched about three-and-a-half years ago, by Kaiser Permanente and the Veterans Administration, as a response to the continuing concerns surrounding the security and interoperability limitations of medical devices, says Nordenberg. The consortium collaborates with more than 40 health care systems to identify issues and define requirements, and convey them to manufacturers of medical devices and other stakeholders, including technology companies and government agencies, like the Food & Drug Administration (FDA), National Institute of Standards and Technology (NIST), and the Department of Homeland Security (DHS).
Nordenberg, who is also president of Novasano Health and Science, a company that delivers services and products to accelerate innovation in health care and life sciences with a particular focus on leveraging the strategic application of information resources, says that while there are some variances – devices that operate on Windows or Linux are likely more vulnerable than those that use less common proprietary operating systems, for example – it should be assumed that “the threat is enormous.”
The move to more interconnected, networked and common technology platforms in health care, while it serves to support great advancement, has also opened the door to the same kind of attacks and malicious code that are seen commonly in many other industries, and on many other types of equipment. “Manufacturers really didn’t need to pay a lot of attention to medical device security when they ran on closed loop proprietary networks,” says David Attard, administrative director for health care technology for Harris Health System in Houston (formerly Harris County Hospital District). “As we have pushed for integration of information systems, electronic medical records and inter-hospital information exchange we have had to relook at how devices are managed within our facilities to include consolidating on customer-owned networks – this has created device security and hardware incompatibility issues – before vendors have reacted to developing more secure devices.”
And, the issues may not be isolated only to newer technologies or equipment on an open network. Attard points out that while equipment at risk could include any device that transmits patient information or receives software updates via Wi-Fi over hospital networks, he’s seen viruses introduced through vendor demos of equipment connecting to his company’s network. This, fortunately, was quickly stopped by an internal policy. However, that does not mean older equipment is immune.
“To me the devices most at risk are some of the more legacy systems that aren’t able to be updated as system security patches are available due to conflicts and shutting devices down,” Attard says. This has resulted in his team having to isolate some of these devices, like the legacy cardiology information system, or limit their functionality.
Axel Wirth, distinguished systems engineer and solutions architect for the U.S. health care industry segment at Symantec, says the issue of medical device security came to his attention about four years ago when one of the company’s clients suffered a malware outbreak that affected its entire medication delivery system. Since then, he says, “The problem has been very widespread. I haven’t met a client without a story to tell.”
As Wirth points out, there are two main scenarios of medical equipment breach: One is the potential “targeted attack” on a pacemaker or an insulin pump, for example (like in the Homeland episode), with the goal ostensibly to do harm to the patient using the device. The second, and much more prevalent issue is the infection or intrusion on medical equipment, which are commonly run in a hospital on operating systems like Java and Windows. The personal medical device attack, which has been demonstrated several times at conferences and clearly “could literally kill someone,” according to Wirth, has yet to happen in the wild. But the issue of malware on standard software devices in health care has been growing significantly in recent years, say industry observers.
“And what’s interesting is that this is something that neither the manufacturers nor the hospitals were talking about for years,” says Wirth. “I’ve only recently seen it being publicly discussed.”
Drawing attention to the problem
Medical device security is squarely in the sights of the U.S. Food and Drug Administration (FDA), the governmental body most directly responsible for regulating medical devices. In June, the FDA issued a safety communication and draft guidance on cyber security and medical devices, pointing out the increased risk of breaches due to the interconnectivity via the internet between medical devices, hospital networks and other medical devices, according to Bill Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health.
“FDA has seen trends indicating an uptick in cyber security vulnerabilities and incidents that could directly impact medical devices or hospital network operations,” says Maisel. “These vulnerabilities, if exploited, could potentially affect the operation of the devices and possibly impact hospital networks.”
Maisel added that the FDA was not aware of any actual patient suffering harm as a result of such vulnerabilities. “The FDA is aware of dozens of cyber security vulnerabilities and incidents affecting hundreds of devices,” he says, “but we have no information to suggest that any devices or systems have been specifically targeted, nor that any patients have been harmed as a result of the security vulnerabilities identified.”
Several stalwart security researchers have played a role in bringing to light some of these vulnerabilities in recent years. At a McAfee-sponsored conference in 2011, well-known hacker and computer security professional Barnaby Jack demonstrated the hacking of an insulin pump, where he took control of two separate pumps wirelessly using a high-gain antenna. Jack demonstrated the wireless takeover of a pacemaker – similar to the Homeland scenario – at a 2012 conference in Melbourne. Jack, most recently director of embedded device security for IOActive, died suddenly in July, a week before he was slated to present at Black Hat 2013 on hacking heart implants. Security researcher and Type 1 diabetic Jay Radcliffe also caused a stir when he demonstrated the hacking of his own insulin pump at the 2011 Black Hat conference.
Shane Clark, a former medical device researcher at the University of Massachusetts at Amherst and currently a research scientist at BBN Technologies, conducted numerous tests on medical devices, including pacemakers and defibrillators, while working with Kevin Fu, now of the University of Michigan. “Back when we published our first paper, manufacturers didn’t want to hear about security,” he says. “They were so defensive, they said they had ‘no reported issues,’ that it was not a problem. Now they are taking it more seriously.”
And it makes sense that they would take the issue more seriously. Not only are there more and more reports of vulnerabilities, but as devices are able to be programmed from increasing distances, as networked technologies are embraced and as more people use implantable devices especially, “the attack surface will increase over time,” says Clark.
As Novasano’s Nordenberg says, it’s not necessarily the vulnerabilities or breaches that have already manifested, but those that could in the near future. “My biggest concern is what we don’t know,” he says. “We are all still at a very early stage of defining and quantifying the risk and associated adverse events. It is only logical that the most vulnerable devices on a health enterprise network, the medical devices, are being adversely impacted. Only 20 percent of malware has an identifiable signature and the rest needs to be detected by complex algorithms.”
Right now, Nordenberg says, it’s not just remote hacking that hospitals have to worry about, but also the ability for hospital visitors to gain easy access to medical devices that often have passwords that are openly available on the web. This passwords issue is one of many that have been reported to government regulators by the team of Billy Rios and Terry McCorkle, both managing directors at Cylance, an Irvine, Calif.-based provider of cyber security products and services.
In January, the pair were able to exploit critical vulnerabilities and gain root access to two popular medical management platforms made by Philips, which would allow would-be hackers to gain access to patient records and operate other medical devices on the system that uses the same popular standard. The findings led to the DHS and FDA to force Philips to fix those system holes earlier this year. Together, Rios and McCorkle have identified more than 300 vulnerabilities on medical equipment – from patient monitors to drug infusion pumps to surgical devices – many which can be exploited remotely. One big issue is that many manufacturers program backdoor passwords into their equipment, which opens a hole that hackers can exploit. “We reported 300 backdoor passwords in medical devices,” says Rios, “but we could have easily gone to 10,000 if we wanted to.”
Worse before it gets better
While medical device manufacturers and hospitals are more apt to acknowledge the potential for medical device breaches in recent months, the problem still could get worse before it gets better due to more connected systems and lack of good security practices. Harris Health System’s Attard, who has been following security issues surrounding medical devices for more than a decade – for the Department of Defense prior to private industry – believes the move toward newer technology is part of the issue. “As we rely more on consolidated networks – customer supplied clinical networks versus vendor-specific proprietary networks – devices and our system networks have become more susceptible due to a lag in the medical device manufacturers’ need to provide more secure devices,” he says.
Nordenberg points out that most medical devices are rapidly moving toward being connected devices, which he believes will put an enormous burden on health systems to integrate these devices on their network. It certainly increases the risk for malware or hacking-associated adverse event, he says.
“Breach risk is increasing because the number of networked medical devices is increasing and there is a national priority placed on interoperability to optimize health care quality outcomes, says Nordenberg. “So that as devices are configured for improved data sharing they are also more vulnerable to hacking and malware. As more attention is placed on medical device security, we are likely increasing the interest of the hacker and malware community since this is a newer frontier and challenge.”
Cylance’s Rios point out that while medical equipment that runs on Windows or Linux may be susceptible to some of the same kinds of viruses, the fixes on medical equipment take much longer. “It’s not like your monthly Windows update,” he says. “When Philips creates a fix, they issue a field change order and a Philips technician needs to travel to every hospital that has one of their [machines],” says Rios. “It doesn’t scale at all.”
His partner McCorkle adds that another factor is that more and more medical professionals are bringing their own devices, like tablets and smartphones, to use at work. This also increases the potential risk of viruses and vulnerabilities in the network. “There’s more pressure to put more and more devices on this network that weren’t necessarily designed to be on this network,” says McCorkle.
In addition to the widespread availability of exploits for medical devices, the security on most hospital networks leaves a lot to be desired, says McCorkle. “If you manage to get yourself on a hospital network, it’s open season,” he say. “You can get on any device you want.” McCorkle adds that since hackers will see these vulnerable medical systems as low-hanging fruit, attempts on these systems will only grow. “You don’t even need to find an exploit,” he says. “You can get on with passwords.”
Prescription for success
While best practices are not well-established in this nascent area of security, industry observers say that there is more that can be done to improve matters. McCorkle says there needs to be “an internal process” to oversee the currently manual process of tracking and managing necessary fixes. Rios adds that in the short-term, health care CSOs may not be able to fully depend on their device manufacturers to let them know where the vulnerabilities lay. “We have to figure out our own way to protect patients,” he says, adding that leadership from the FDA is starting to help.
Indeed, the FDA’s safety communication, entitled “Cybersecurity for Medical Devices and Hospital Networks,” makes several recommendations to hospitals and health care systems about steps they can take to evaluate their network security and protect their computer systems, says Maisel at the FDA. Among the communication’s suggestions: restricting unauthorized access to the network and networked medical devices; making certain appropriate anti-virus software and firewalls are up-to-date; monitoring network activity for unauthorized use; protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services; contacting the specific device manufacturer in the case of a cyber security problem related to a medical device; and developing and evaluating strategies to maintain critical functionality during adverse conditions. Separately, in its June alert, the FDA recommended strengthening user IDs and passwords, and potentially looking to stronger authentication, such as biometrics. “Cyber security incidents are increasingly likely, and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery,” according to the alert.
Symantec’s Wirth suggests that manufacturers need to do a better job protecting devices (“across the board, they’ve done a pretty poor job,” he says), and hospitals need to do a better job of secure integration. He also stresses the need for better IT security education for biomedical engineers, so they can properly understand how to integrate and manage equipment, how to deal with a virus outbreak, and how to help improve communication between manufacturers and hospitals. Wirth also calls on hospitals to be aware of who they let onto their network, since many malware infections still enter hospital networks in simple ways – like the service technician with an infected USB stick.
“Because more and more devices are being networked, this is going to be an increasing problem,” Wirth says. “Hospitals need to be very vigilant to minimize impact and exposure.” BBN Technologies’ Clark agrees: “This is a legitimate day-to-day concern for administration at health care facilities. It deserves more attention than it’s getting.”
Harris Health System is already among the hospital systems taking steps, according to Attard. The health care concern has monthly biomedical/IT integration meetings that consist of project reviews for all projects that may require network connectivity or information exchange with other area hospitals. “This provides visibility of device and potential risk considerations for pending purchases to all necessary stakeholders,” Attard says. “We also have standardized IT and information security requirements within our equipment procurement model and have agreed, with clinical support, that devices posing risk cannot be connected to the network and may have limited functionality in use.” At times, he adds, if it’s the only device available that can perform a specific function, a limited-function decision will be made.
The MDISS is doing its part to help device manufacturers, technology companies and hospitals work together. “In the past 12 months, we have seen a very significant increase in the awareness of this important public health problem,” says Nordenberg. “Many more organizations are investing attention and resources to study and mitigate risk. We are seeing much clearer and impactful conversations between manufacturers and buyers, and all other stakeholders.”