June 17, 2016

Getting sick is doubly dangerous: Medical equipment is vulnerable to hackers

Security Threats

Almost every cyberattack has the same goal — stealing someone’s money. However, as a vast variety of equipment is getting connected, a buggy device can lead to more serious consequences than money loss. What about human health and life?

Getting sick is doubly dangerous: Medical equipment is vulnerable to hackers

Take connected cars, a perfect example of how a device can pose a great risk to life and limb. A malicious party taking control over a self-driving car can easily lead to an accident. Smart medical equipment is also at risk. Devices designed to keep us healthy can be also used to do the opposite.

To date, we know of zero documented cases of compromised medical equipment directly harming human health. However, experts regularly find new vulnerabilities in medical devices, including bugs that could be used to cause serious physical harm.

Because stealing money and harming people physically are disparate actions, one might hope that hackers will refrain from taking such steps for ethical reasons. But it’s more likely criminals haven’t turned to hacking medical devices simply because they don’t (yet) know how to gain easy profit from such attacks.

Actually, cybercriminals have repeatedly attacked hospitals with Trojans and other widespread malware. For example, in the beginning of this year, a number of ransomware infections hit medical centers in the United States, including Hollywood Presbyterian Medical Center in Los Angeles.

The Los Angeles hospital paid $17,000 to get its records back. However, when Kansas Heart Hospital tried to do the same, the crooks didn’t give them files back, demanding more money instead. As you can see, we cannot rely on ethical imperatives to stop criminals: Some will always be happy to attack medical establishments for easy money.

Medical equipment undergoes required inspection and certification — but only as medical equipment, not as connected computer technology. Fulfilling cybersecurity requirements is recommended, of course, but remains a matter of vendor discretion. As a result, many hospital devices suffer from obvious flaws, long known to competent IT specialists.

The U.S. Food and Drug Administration regulates the sale of medical devices and their certification. Trying to adapt to the evolving connected environment, the FDA released guidelines for manufacturers and health-care providers to better secure medical devices. In the beginning of 2016, a draft of a sibling document was published. But all of the measures are just advisory. So it’s still not mandatory to secure medical devices that are critical to saving human lives.

Fatal negligence

Equipment manufacturers can ask cybersecurity experts for help, but in fact they often do just the opposite, declining even to provide their devices for testing. Experts have to buy secondhand equipment on their own to check how well it is protected. For example, Billy Rios, who knows connected devices inside and out, occasionally examines medical devices as well.

About two years ago, Rios tested Hospira infusion pumps, which are delivered to tens of thousands of hospitals around the globe. The results were alarming: The drug injection pumps let him change settings and raise dose limits. As a result, malefactors could cause patients to be injected with larger or smaller doses of medicine. Ironically, these devices were advertised as error-proof.

Another vulnerable device Rios found was the Pyxis SupplyStation, produced by CareFusion. These devices dispense medical supplies and facilitate account keeping. In 2014, Rios found a bug that let anybody inside the system.

In 2016, Rios turned to the Pyxis SupplyStation once more, this time with fellow security expert Mike Ahmadi. The duo discovered more than 1,400 vulnerabilities, half of which are considered very dangerous. Though third-party developers were to blame for a great number of the bugs, and experts analyzed only an older-model Pyxis SupplyStation, those vulnerabilities are still greatly troubling.

The thing is, these solutions were at end-of-life, and despite their widespread use, the developers did not provide any patches for them. Instead, CareFusion recommended customers upgrade to new versions of equipment. Organizations that did not want to upgrade received a list of tips on how to minimize the risk of those systems being compromised.

It’s hard — and expensive — to update old equipment. But, for example, Microsoft had already abandoned the operating systems installed on the devices, leaving them fundamentally vulnerable. The latest versions of the Pyxis SupplyStation run on Windows 7 or later and are not vulnerable to those bugs.

Kaspersky Lab also provided cyberstructural tests for hospitals: Our expert Sergey Lozhkin was invited to take part in the experiment and hack medical equipment, including a tomographic scanner.

Of course, the abovementioned cases were carried out as experiments — to show how easily criminals could repeat this if they wanted — not to cause any actual harm!

Who is to blame, and what should we do?

The service life of medical devices is much longer than your smartphone’s lifecycle. Dozens of years for an expensive piece of equipment is not long at all. Moreover, although the latest devices are less vulnerable than outdated ones, with time and without proper support they are going to become as buggy as their older counterparts.

As Mike Ahmadi explains: “I think it’s reasonable for a medical device manufacturer to have a stated end-of-life for a medical device, and have a stated end-of-life for cybersecurity for the devices.”

The Pyxis SupplyStation hack has the bright side as well. True, the developers ignored the first bugs that Rios discovered, but later, the giant Becton Dickinson corporation bought the company, and its new management views cyberexperts quite differently. Maybe in the future, companies will pay more attention to bug-proofing than they do now. And perhaps they will even do massive vulnerability testing for new devices before they enter the market.