Medjacking: The newest healthcare risk?
In early August, Popular Science reported an FDA safety warning against an infusion pump used in hospitals. According to the FDA, a type of pump used to administer IV fluids is vulnerable to cyber-attack, potentially putting patients' lives at risk. The article points out that, in an episode of the TV series Homeland, hackers killed the U.S. vice-president by hacking and disabling his pacemaker.
While that kind of attack is a great plot device for a TV drama (and makes medical device security an entertaining topic for Popular Science), the wider security threats posed by medical devices are both more mundane and potentially more destructive. Healthcare information is being exposed in more places every day, creating new risks for patients, providers, payers, and other organizations. In this article, I'll look at how medical devices fit into the risk profile.
Computer Science Zone reports that there will be 25 billion connected smart devices in use in the next five years (there are almost 5 billion already). A significant portion of these will be medical devices, from pacemakers to drug pumps, mobile medical workstations, in-home monitors, and personal fitness devices. A recent article in WorldNow proclaimed, "It may sound like a science fiction novel, but medical devices could someday be the target of hackers." But the fact is that these devices are already being hacked, a trend that is alarming hospitals and other healthcare organizations. In fact, this kind of hacking is already widespread enough to have a new name: medjacking.
Tiny keys to big doors
It's true that hackers could tamper with medical devices to harm individuals, but thus far these devices are being hacked to unlock portals into larger medical systems and steal protected health information. In June 2015, security company TrapX released a report showing that the majority of healthcare organizations are vulnerable to medical device hijacking (a term they shortened to "medjacking"). The report also detailed incidents of medjacking in three hospitals. In one, a blood gas analyzer infected with two different types of malware was used to steal passwords to other hospital systems, and confidential data was being sent ("exfiltrated," in hacker parlance) to computers in Eastern Europe. In another hospital, the radiology department's image storage system was used to gain entry to the main network and send sensitive data to a location in China. In a third hospital, hackers had installed a back door in a drug pump to gain access to the hospital network.
While national security agencies are no doubt preparing for the cloak-and-dagger scenario of medjacking against an individual, if you're looking for trends in cyber-crime, it's best to follow the money. In an earlier article on the economics of cyber-crime, we pointed out that stolen medical identities can bring in many times the price of a stolen credit card number. In their current state of security, many medical devices offer hackers an easy entry point to steal massive numbers of records from healthcare provider's data systems. The TrapX report quotes its co-founder and vice president Moshe Ben Simon: "Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The medjack is designed to rapidly penetrate these devices, establish command and control, and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution."
Right now, high-volume data theft appears to be the golden ticket for medjackers, but other kinds of attacks are undoubtedly coming. In June 2015, Wired reported that security researcher Billy Rios had written a program that could remotely force multiple pumps to send hospital patients potentially lethal amounts of drugs. Imagine if cyber-criminals were to actually use such a program to create panic, or if they harmed a few patients as a demonstration and then demanded ransom not to harm more.
Device security too slow in coming
Security researchers have been raising alarms about medical device security for several years. In 2012, security researcher Jay Radcliffe made news when he demonstrated the ability to hack an insulin pump using a standard $20 radio transmitter bought from a consumer electronics store. At this point, the FDA has released security recommendations to manufacturers, and, according to Computerworld, even the Department of Homeland security is investigating cyber-security flaws in medical devices.
[See also: Safety demands better device integration]
There are multiple challenges in maintaining medical device security. Many medical devices are built with the VxWorks real-time operating system, the most widely used OS in the "Internet of Things," and, as with any operating system, new security flaws in VxWorks are being discovered and exploited faster than they can be patched. Another challenge, according to TrapX, is that while healthcare IT staff will manage security for hospital information systems, "they can't access the internal software in medical devices, so they have to rely on device manufacturers to build and maintain security on those devices." And manufacturers have not proved quick to address security issues. Rios, the researcher who hacked drug pumps, said in a blog post that, "Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3 [drug pump], though the FDA published an advisory."
Guarding the back doors
The risks with medical devices are likely to get worse before they get better. A hard-pressed healthcare industry is quick to adopt innovative new devices and mobile applications that can lower healthcare costs and improve patients' quality of life, and initiatives like the FDA's Medical Device Home Use Initiative will drive up device use outside the firewalls of hospital and clinic networks. To stay ahead of device risks, healthcare providers need to expand their thinking about PHI protection, to look not just at protecting the data where it lives, but about guarding the doors to the data, including the potentially billions of back doors created by medical devices.
As more instances of medjacking make the news, the medical device industry and regulatory agencies will have to come up with security standards and practices for the devices. At this point, the FDA has only issued recommendations for device security, but regulation is likely coming. Computerworld reports that the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is already "working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment."
With the new attention on medjacking, device security is likely to improve greatly from where it is today. In the meantime, healthcare providers can help improve their own risk profiles by choosing devices with the best security features available (many today don't even encrypt data before transmitting); by pressing manufacturers to adopt security standards and come up with solutions for prompt security fixes and software patches; by segmenting networks to isolate devices from sensitive data sets; and by training patients and staff to use devices in the most secure way possible.
All these measures are vital, but the increase in cyber-attacks over the last few years has shown us that data breaches are inevitable. It's also critical that healthcare providers track new threats as they happen, so that attacks can be identified and isolated quickly. Device attack scenarios also need to be figured into risk management plans. (What if a threat actor did attack individuals through devices? How quickly could such an attack be stopped without further endangering the people dependent on those devices? How quickly can they be notified and told how to protect themselves?) In a recent HIMSS Cybersecurity Survey, 32 percent of respondents listed endpoint security as one of their biggest security barriers, so device security should be included among those endpoints and placed on the radar of a significant percentage of healthcare IT managers.
Medical device security is just one of the new security challenges the healthcare industry faces as information flows from the micro to the macro, from tiny patient implants through medical diagnostic equipment and workstations, provider information systems, and out to massive data centers in the cloud.
Mahmood Sher-Jan is executive vice president and general manager, RADAR business unit of ID Experts.