Connected Medical Devices Can’t Call in Sick

One of America’s greatest contributions to society in the last 100 years has been advancements in medical care. This furthering has been made possible, in large part, by our achievements in technology. So, it should be no surprise that the two have become explicitly intertwined; medical technology has given way to incredible improvements in cost, efficiency, and patient health. However, this marriage of computers, communication, and devices has not come without challenges. TV shows have hypothesized about the hijacking of a vice president’s pacemaker, but are devices really vulnerable or is this just a theatrical plot line for primetime drama?

In May of this year, TrapX Security, a cyber security defense company, released a report on MEDJACK - an attack created to illustrate the vulnerabilities in medical devices. In testing three devices commonly found in critical care departments, TrapX found that they were all being used as an entry point to the hospital’s network and that data was being exfiltrated from the hospital's’ databases. In many cases, the malware identified was old; variants of Zeus and Citadel were specifically called out. Data exfiltration is one thing, but the hackers from TrapX also found that the malware could alter patient records and potentially compromise the devices themselves. Other researchers are taking note of these physical vulnerabilities. This Wired article released yesterday details the ability to hack dosage parameters on a Hospira pump.

Of course, bodily harm is rarely the desired endgame, and the motivation for the recent attacks on hospitals comes down to basic greed. Electronic health records, or EHRs, can often sell for $50 or more on the black market. This is a far greater payoff than traditional credit card numbers, which are lucky to fetch a buck in today’s underground economy. EHRs are particularly attractive because of the amount of detail that they can hold about a patient - social security numbers, banking information and most importantly your medical ailments - as seen in the recent Anthem and Blue Cross breaches. This holistic information allows crooks to use your medical identity to acquire drugs or medical equipment which can be sold for additional monetary gain.  Hackers have become creative, with data hostaging of photographs and data en-vogue today, its foreseeable that medical devices could also be held hostage for ransom.

Battling data thieves isn't the only challenge facing hospitals today, they must also contend with the bureaucracy of being the most regulated industry in the country. All medical devices must be approved by the FDA prior to going to market, and it is this scrutiny that requires manufacturers to lock down all aspects of a device, thus creating an internet connected “black box.” In fact, the majority of medical devices in hospital settings are operating 24/7 without any visibility or control by hospital security staff. Since medical devices are manufactured and FDA approved with a high level of specificity, these devices can only be serviced and maintained by the original manufacturer. Combine these OEM resource limitations with the high level of need in critical care departments, and it’s little wonder why patches and security updates often go undone for long periods of time.

The OEM blind spots aren’t exclusive to medical care. In one our own pilots, we routinely find third party products with an open wireless connection that was completely unknown to IT staff. As companies look to improve efficiencies and leverage data coming from costly infrastructure investments, the security and connectivity of these OEM sensors need to be known and monitored in order to maintain the integrity of the network. Of course, it might be pie in the sky thinking when you consider the billions of connections that will invade the corporate environment in the coming years.

As we continue to connect sensitive environments, it becomes harder to take this critical infrastructure offline for regular maintenance. It’s one thing to not be able to send emails while IT upgrades a server, but to patch the blood gas machines in the ICU will take careful planning. For now, we may have to settle for simple awareness. Unfortunately, this will likely mean more data breaches, but I’m hopeful that progress will be made before we actually see patient health impacts.