Typically seen as areas where patients battle disease and illness, hospitals could soon be fighting off infections of a different kind as cyberattacks threaten not only highly sensitive information but potentially the very lives of those being protected.
The challenges in protecting hospitals from cyberattacks are very similar to those faced in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. The equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where the devices have known vulnerabilities that can be easily exploited by bad actors.
It is also extremely unlikely that administrators would notice malware running on the device as long as nominal operation is maintained.
The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices but those machines often have some level of network connection to the systems that do contain patient records.
What exactly is a bad actor likely to do after getting a foothold on the network?
- Move laterally to find patient records that can be used for identify theft or blackmail
- Steal research data for financial gain
- Deploy ransomware such as Cryptolocker, effectively crippling the facility unless a bribe is paid
- Trigger widespread system malfunctions as an act of terrorism
- Carry out a 'hit' on a specific patient
The first three items are strictly motivated by financial gain and this has been the extent of observed attacks to date. The fourth seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defence facilities.
The fifth item has not been detected yet but that does not exclude the possibility that it has happened. Carrying out a silent assassination with malware would be very hard to trace back to the attacker and could even be sold as a service (similar to DDoS as a service).
A scene from a Tom Clancy novel
The scenario for number five sounds like something out of a Tom Clancy novel but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure and know where it was to take place. One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult but not impossible to know.
Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient.
He notified the Department of Homeland Security and Food and Drug Administration up to 400 days ago about the vulnerability and saw no response, so he went public to put pressure on the manufacturer to fix the issue.
Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.
This discovery shows a real-world example of how a cyberattack could affect a medical device and potentially endanger lives. There is no question this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?
It is clear that installing antivirus software on medical equipment is impractical and basically impossible.
Furthermore, healthcare IT are relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully, this challenge has already been solved in ICS and SCADA environments.
In a recently profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system.
The report details the malware was detected but not before infecting the PACS system. Due to the nature of the system, it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.
Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defence mechanism. Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all.
If, for example, the technician needed to download something from the internet and transfer it to PACS, it would have to be transferred on to the air-gapped network.
Sanitising the operating room vs preventing cyber-infections
Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber ones. Defending against cyber infections, by comparison, is much easier. The medical industry is not alone in fighting this threat – they do not have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.
Simply employing an air gap does not guarantee security. The point of it is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access.
In medicine, these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It is not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected.
The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed "clean" can still be disinfected to completely eradicate the possibility of a threat doing undetected.
Adam Winn is a senior product manager at security company OPSWAT.