Infection-free hospitals

April 2016

Surgeons with scissorsHow can hospitals protect their medical equipment from malware? Hospitals and their staff are very accustomed to preventing the spread of biological infections, but what about their virtual counterparts? Adam Winn, Information Security Specialist, looks at the issues.

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware.

This creates a dangerous situation where:

  1. The devices have known vulnerabilities that can be easily exploited by bad actors;
  2. Administrators are not likely to notice malware running on the device as long as nominal operation is maintained (x-rays continue to take x-rays, etc.).

The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records.

What better way to attack a system than to lie quietly on a network node with relatively unrestricted lateral movement to other parts of the network?

What exactly is a bad actor likely to do after getting a foothold on the network? Any number of things:

  1. Move laterally to find patient records that can be used for:
    a. Identity theft;
    b. Blackmail (especially public figures, celebrities, etc.);
  2. Steal research data for financial gain;
  3. Deploy ransomware like Cryptolocker, effectively crippling the facility unless a bribe is paid;
  4. Trigger widespread system malfunctions as an act of terrorism;
  5. Carry out a ‘hit’ on a specific patient.

Without a doubt, there are more activities that could be carried-out by a bad actor, the five listed above are just examples. The first three items are strictly motivated by financial gain, and this has been the extent of observed attacks to date.

The fourth item seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defense facilities. The fifth item hasn’t been detected yet, but that doesn’t exclude the possibility that it has happened.

Carrying out a silent attack with malware would be very hard to trace back to the attacker, and could even be sold as a service (similar to DDoS as a service).

The scenario for #5 sounds like something out of a Tom Clancy novel, but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure, and know where the procedure was to take place.

One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult but not impossible to know.

Real-world vulnerability examples

Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA up to 400 days ago about the vulnerability, and saw no response, so he went public to put pressure on the manufacturer to fix the issue.

400 days is an extremely long grace period - recently some vulnerability disclosure periods have been as short as one or two weeks. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.

This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?

It’s clear that installing antivirus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT are relatively helpless to patch the software and firmware running on these devices.

So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully this challenge has already been solved in ICS and SCADA environments.

In a recently profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system.

The report details that the malware was detected but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.

Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn’t they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defense mechanism.

Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network.

This provides several benefits:

  1. When transferring the data to PACS, it could have been scanned for malware and even sanitised.
  2. If the malware found its way onto PACS, exfiltration would be much harder or impossible if PACS didn’t have an outbound internet connection.

How sanitisation of the OR compares to preventing cyber infections

Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Think of the scrub area outside of an operating room. No matter how ‘clean’ the surgical staff thinks they are, they all invest the same amount of time scrubbing-in before entering the OR.

Furthermore, even after fully disinfecting their hands and arms, the surgical staff put on latex gloves to prevent the transfer of infections in either direction (to or from the patient).

The medical industry is always innovating and improving their ability to prevent the spread of infectious diseases - the paradigm shift from miasma theory to germ theory ushered in a wave of new techniques and best practices.

Even without being able to see or detect germs, medical professionals were able to prevent infection by employing preventive strategies that always assume the presence of germs. Defending against cyber infections, by comparison, is much easier. The medical industry isn’t alone in fighting this threat - they don’t have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Simply employing an air gap doesn’t guarantee security, just as putting a scrub room before the OR doesn’t stop viruses and bacteria. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access.

In medicine these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It’s not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected.

The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed ‘clean’ can still be disinfected to completely eradicate the possibility of a threat going undetected.

Image: iStock/498744732

Comments (1)

Leave Comment
  • 1
    Lahiru wrote on 8th Apr 2016

    The topic has gained its full potential but still the digital devide has taken its place on some points. Thanks a lot for the info sir.

    Report Comment

Post a comment

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.