Despite the fact that patient privacy and data security has been a top priority for the medical industry since the passage of the HIPPA data privacy act in 1996, hackers continue to find ways to infiltrate hospital networks and steal patient data.
Many are seeking valuable healthcare data as health insurance credentials can be worth twenty times the value of a credit card on the black market. Cyber criminals are successfully searching for and finding weak links in the medical industry security chain.
According to the recent MedJack report from TrapX security, medical devices are often the weak link that opens the door to attack..
The findings of the MedJack report are really not surprising. The report provides details of criminals hijacking medical devices and using the compromised devices to launch broader attacks against the hospital’s “secure” networks.
Hackers can easily attack because the security of the medical devices is weak . Once the medical device or system was compromised, the intrusion remained undetected for a significant period of time enabling the hackers to gain access further into the network, discover medical records, and finally to exfiltrate the medical record data. The reported attacks include:
- Healthcare records stolen from a hospital in which hackers compromised Blood Gas Analyzers (BGA) in the hospital laboratory. From this beachhead, they were able to move through that network collecting information and exfiltrating it back out through the BGA devices.
- Healthcare records stolen from a hospital in which hackers infected a Picture Archive and Communications System (PACS) in the hospital radiology department. Using malware installed on the PACS system, hackers were able to move through that network collecting information and exfiltrating that information to a location in Guiyang, China.
- Healthcare records from another hospital were discovered through compromised X-ray equipment. From the compromised system, hackers were able to expand their reach through that network gathering a wealth of information.
Legacy device in modern networks
Because many current medical devices are based on designs that predated the pervasive cyber-threats that we see today, they are not prepared to ward off attacks.
Decades ago there was no concept of the web – systems and devices were manufactured without any awareness that sometime in the future they could be connected to an international digital network that anyone can access.
The World Wide Web had just been invented, the internet was barely in its infancy and not used by the general public (the first commercial dial-up Internet Service Provider was formed in 1990).
AOL and dial-up bulletin boards ruled the day. The concept of security by isolation was an appropriate design choice at the time. As MedJack illustrates, that approach to security is no longer viable.
Surprisingly, many newer medical devices are still based upon older insecure designs. The basic software architecture of many of the devices used in hospitals and medical clinics today is based on designs that may be a decade old or more.
New versions of these systems may have been developed to support graphical or touchscreen user interfaces, enable greater connectivity to IT networks and increase ease-of-use, but security has been largely ignored when building new versions of these old designs.
Even in the design of “brand new” systems, security has rarely been a significant priority.
Only in the past few years have device manufacturers begun to emphasize security for embedded devices, and then only by a few forward looking companies. All too often, security is still an afterthought. Clearly that has to change.
While the security problem may never truly be solved, more needs to be done. It is time to begin designing security into devices, not adding it as an afterthought.
Securing next generation medical devices
Building medical devices that will withstand the types of cyberattacks that we have seen in the MedJack report requires incorporating security from the early stages of design.
There are several aspects to creating a secure device, including threat modeling, secure design processes and use of a security framework to ensure critical security features are provided.
Key function requirements for ensuring the security of a medical device include:
- Secure boot
- Secure firmware updates
- Intrusion detection capability
- Embedded firewall
- Security event reporting
- Support for command audit log
- Management system integration/remote policy management
- Encrypted data storage
- Security protocol support
These are basic security capabilities found in existing IT systems. It’s time to start including these capabilities in new medical devices.
Protecting legacy devices
Securing new devices is only part of the solution. There are many thousands of insecure medical devices in use today and it will take years to upgrade to newer, secure versions.
In some cases, more secure replacements are not yet available. Installing the latest security patches is an important first step, but is not enough to ensure that these devices are actually secure.
For existing devices, it is possible to add a low cost bump-in-the-wire (BITW) security device that can provide virtual network segmentation, firewall services, protocol filtering, access controls, SSL tunneling and intrusion detection. This allows security to be added for a fraction of the cost of device replacement.
Intrusion Detection for embedded devices
Most cyber-attacks don’t happen as portrayed on TV. Hackers don’t penetrate a network, discover the critical information they are seeking, and execute a destructive cyber-event with a few keystrokes or in a matter of minutes. It can take weeks or months.
As the MedJack report shows, a cyber-attack begins with a hacker or hacking group probing a network, searching for vulnerabilities and targeting insecure devices. Once access is gained, they can then pivot and use this access point for reconnaissance, exfiltration of data, and to penetrate deeper into the network.
This cycle of probing, exploiting vulnerabilities, gaining access, reconnaissance and exfiltration of data occurs over an extended time period, often lasting several months.
Obviously, the earlier that attacks are detected, the easier mitigation becomes and the greater the chance of limiting or preventing serious damage or loss of information.
Medical devices protected by a BITW security device or that have built-in security protection can report anomalous network activity to help detect cyber-attacks.
Summary
The problems outlined in the MedJack report are not isolated incidents; rather they highlight systemic problems with medical device security. Cybercriminals understand how vulnerable these devices are and actively target medical devices.
Medical device companies must adopt a “security first” approach. Security must be considered a critical requirement starting with a hardware platform that provides security features.
Adoption of a security framework that provides device protection, data protection, secure communication and that enables security management for the device provides the additional required layers of security.
System integrators, data service providers and end users need to extend their defenses to ensure legacy devices are protected. Bump-in-the-wire security devices can provide a missing layer of protection for otherwise insecure legacy devices.
The MedJack report shows how far we still have to go to protect medical data from cybercriminals. Stopping these attacks requires a long-term commitment and a “security first” mindset. If we don’t, attacks like those outlined in the MedJack report will continue to make headlines.