People often ask why someone would want to hack into a medical device. The first question, however, should be why Healthcare is the most hacked vertical of all. Experts say that it is easier to penetrate a healthcare organization because of the inherent complexity. But more importantly, the value of health records in the black market is very high. According to a recent article published on CNBC, a health record could fetch up to $1,000, which is almost 40 times the highest value gained from selling a social security number or banking information. The reasons are simple:
Health records also include social security number and other payment information.
Information included in a health record can be used to run many frauds such as getting healthcare services on someone else’s account, getting unauthorized prescription medications, etc.
Health records contain private information that could make an individual very vulnerable in a social or professional setting, which increases legal liabilities on healthcare providers.
At the same time, altered health data could have serious patient safety concerns. So, cyberattacks on healthcare for terrorism is also not unthinkable. Media has reported North Korea responsible for last year’s WannaCry attack that brought UK’s National Health Services (NHS) as well as many hospitals down. Not Peyta attack last year was aimed at Ukraine by Russia but ended up creating $10+ billion global damage including impacts to Princeton Community Hospital in West Virginia and Heritage Valley Health System in Pennsylvania. In the recent supposed state sponsored attack, 1.5 million patient records were breached in Singapore because the hackers were after Prime Minister’s private health information. So, there are many reasons why cybercriminal target healthcare.
Why medical devices?
Healthcare organizations are increasingly connecting medical devices (i.e. Internet of Things devices) to the Electronic Health/Medical Records (EMR/EHR) systems to improve employee productivity and patient care. FBI, however, warned in the August 2 (2018) public service announcement that these devices are being targeted by cybercriminals. Attackers exploit vulnerabilities of the medical devices to hack into hospitals’ enterprise networks to access Protected Health Information (PHI). Medical devices offer relatively easy access and entry point for cyber-attackers.
Medical devices are often the direct interfaces with patients. Consequently, malfunctioning of compromised medical devices could lead to serious patient safety concerns. Cyber-attackers could use such devices for ransomware or cyber terrorism. In a feasible scenario, although a cyber-attack may not be targeted at a device, the fact that the device has a vulnerability matching the malware’s target profile, makes it a candidate for an infection. It could potentially lead to operational downtime or patient safety event without intending.
Many of the medical devices contain patient health information and respective clinical data. For example, infusion pump ecosystem could include patient information and drug library dosing limits. Cyberattackers could hold these data hostage or threaten to manipulate for ransom. Again, the manipulated clinical data could lead to significant patient safety concerns.
How are they attacked?
There are many ways in which cyberattacks impacting medical devices can take place. While immediate thoughts go to hacking or network related cyberattacks, data suggest that many other mechanisms could be exploited. For example, if causes of health data breaches were to provide any indication of what likely would happen to medical devices impacting cyber-events, one would not want to underemphasize other mechanisms in addition to hacking. Potential of cyberattacks by insiders and/or via unauthorized access to either medical devices or the connecting network cannot be taken lightly because of the high market value tied to PHI and easier access to the medical devices. In fact, insiders led attacks are more common in Healthcare according to a HIPAA journal report.
“The healthcare industry is something of an anomaly when it comes to data breaches. In other industries, hacking/IT incidents dominate the breach reports; however, the healthcare industry is unique as insiders cause the most data breaches.”
- HIPAA Journal
Some of the medical device involving potential cyberattacks are better understood via following scenarios:
In this case, an attack may not be targeted at medical devices per se. Attackers cast broad net by gaining access to the network using one of many potential attack vectors including phishing and injecting a malware. The malware then spreads by exploiting vulnerabilities in devices that match the profile. Because many medical devices use commercial off-the-shelf components, they could also fit the target profile. For example, many medical devices, including Bayer’s radiology systems, were impacted during the WannaCry attacks last year.
In cases of WannaCry and Not Petya, attackers used NSA (National Security Agency) developed penetration tool known as EternalBlue, which took advantage of vulnerability in a particular Windows protocol, to gain access to network and infect devices.
Exploitation of known device vulnerability:
In this scenario, attackers look for the devices with known vulnerabilities. These can be device inherent software vulnerabilities or operational vulnerabilities. For example, many medical devices have commercial off-the-shelf software components (e.g. Windows XP). Attackers look for the devices that aren’t patched for the known vulnerabilities in these software components to target. Similarly, attackers can also look for operational loop-holes. For example, if a device has open USB ports that aren’t disabled and the device is easily accessible in the hospital by anyone, attackers can physically gain access to those ports to infect. Attackers can steal valuable PHI; they can hold the information, threaten to manipulate patient data or control the device for ransom; they could even impact patient health in case of cyber terrorism.
Earlier in the year, the Orangeworm group attacked high value industries including healthcare infecting many medical imaging devices. It exploited vulnerabilities in older operating systems like Windows XP and installed a custom backdoor called Kwampir to collect operational data from the devices.
Accessing user credentials:
Attackers can also gain access to user credentials to control a medical device. Many times, the factory default credentials aren’t changed; in such a case, a simple google search can even reveal the credentials at times. Sometimes weak passwords are used.
Attackers can use more sophisticated ways to get hold of user credentials. For example, many times manufacturers maintain remote access to the medical devices. An attacker can gain access to a manufacturer’s employee’s credentials via a simple phishing attack in an event in which the credentials were stored in the browser cache while accessing a device remotely. The attacker can then use the credentials to get control of the device. A similar method was used in the Hancock Hospital ransomware. In a different case, an older version of an infusion pump has a removable media that includes credentials. Anyone with physical access to the device can easily obtain these credentials.
A packet analyzer, also known as sniffer, is a tool to intercept and log traffic passing over a digital network. Using a sniffer, a hacker can detect the data packets that are sent out from the connected medical devices. Practices involving either transmitting unencrypted data or using a WEP type easier encryption method make the devices and network easier target for hacking. At the same time, many legacy medical devices don’t support newer standards like WPA2, WPA2-PSK, etc. All of these increase the risk of sniffer attacks. These attacks are done passively without leaving any visible traces.
In a sniffing attack, Wi-Fi router is a preferred target because it contains all of the traffic data of the network. In other words, it contains all information required to control each device connected to the network.
Spoofing is about making an illegitimate device to look like a legitimate device to access the network. Once the access to the network is obtained, a malware can be injected and spread to all other devices on the network. Recently, Doug McKee of McAfee demonstrated how an attacker can trick bedside equipment into sending diagnostic information to a third-party computer instead or before sending it to the monitoring station using a spoofing technique. This potentially allows injecting a malware on the network or manipulating data that goes to the monitoring station for clinicians’ care decisions.
Many of the medical devices aren’t stationary. In other words, clinicians and technicians move them where they are needed. As a result, they aren’t often well tracked. In a busy hospital environment, attackers can steal medical devices with patient and clinical information. They could also potentially infect the stolen devices with a malware and put them back onto the hospital network to spread the malware.
There are many other ways in which cyberattacks on medical devices can take place. Cybercriminals spend incredible amount of time and resources in planning their attacks. There is a lot for them to gain. At the same time, we have a lot to lose as the cyberattacks pose both patient safety and data security risks. In absence of appropriate preventive measures, the risk only increases under the Internet of Medical Things (IoMT) trend. The best preventive measure calls for building a culture of security, which requires engagement from all stakeholders including consumers, providers, regulators, device/system/software vendors and payers. More importantly, it requires all of them to act with a sense of urgency.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks considering both IT and Operations Technology (OT) needs. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at firstname.lastname@example.org.