A Remedy for Risk: Securely Connecting Medical Devices

Of all of the connected devices blackhat hackers could go after, why would they target medical devices? While there are a plethora of motives, most involve financial gain. Cybercriminals targeting medical devices are willing to put patients at risk if it means obtaining valuable information or access to a hospital network.

With hacks targeting medical devices and records booming in recent years, patients have one more reason to be wary of connected medical devices and hospitals. Beyond the familiar anxieties of infectious diseases and malpractice, the very devices patients used to treat them during — or after — their stay can be tapped by cybercriminals for a variety of uses including extortion, identity theft, fraud and even espionage and assassination. Here, we take a look at the some of their chief reasons blackhat hackers would put medical technology in their crosshairs.

One of the most common reasons for a hacker to target medical devices is for identity theft. Connected medical technology can be a gateway to patients’ medical records, replete with valuable personally identifiable information (PII) such as social security numbers, addresses, phone numbers and insurance information. A hacked medical device can also serve as a backdoor to a hospital’s network.

Cybercriminals used the latter approach in the Medjack attack, which is a malware threat for an array of devices, including MRI and CT scanners, x-ray machines and blood gas analyzers. Cybercriminals can obtain sensitive medical data from such breaches that enables them to engage in medical billing scams and tax fraud. A hacker can use a patient’s stolen identity to get free medical care, including obtaining prescription drugs or medical equipment — either for personal use or to resell on the black market. Cybercriminals can even use such information to obtain medical treatments at the victim’s expense

While such healthcare-oriented identity theft is perhaps less common than, say, stolen credit card information, the healthcare industry is much slower in detecting fraud than financial institutions. While a bank or consumer may realize that a credit card has been breached within hours, in the medical realm, it could easily take weeks or months before such identity theft is detected. While a credit card number can be changed, medical records can’t. A cybercriminal could thus use sensitive patient information for fraud long after a breach occurs. And, while the proliferation of electronic health records makes it easier for clinicians to share patients’ medical records, they also give hackers access to vulnerable information that had been historically locked away in file cabinets.

While a single patient’s data is of value to hackers, a hospital’s network is a target-rich environment that can have hundreds or thousands of endpoints connected to them. A hacker can achieve access to such networks, which often aren’t encrypted, by way of a single unsecured medical device that communicates with that network. A hacker who succeeds in breaching a single medical device to gain access to such a clinical network could launch a large-scale billing fraud operation. Even breaching a single device such as a CT scanner can give hackers access to substantial patient information.

Access to medical devices provides can also become a launching point for ransomware. There are a number of ways this could be executed. There is, of course, the Hollywood-thriller-esque possibility of patients getting a text message threatening to turn off their pacemaker unless sufficient bitcoins are transferred to a hacker’s account. More likely though, it will be the hospital itself that’s under attack as the hospital could have a higher likelihood of paying a substantial sum of cash. Hackers can literally hold the entire hospital and its patients hostage as a hacker could turn off the power or manipulate the devices remotely until demands are met (which are typically a five-figure cryptocurrency payment).

Just a few years ago, the prospect of a security researcher influencing financial markets may have seemed remote. That is, howẃever, essentially what happened to the medical device maker St. Jude Medical in 2016. The short-selling firm Muddy Waters enlisted the help of a boutique cybersecurity firm to probe the security of St. Jude’s cardiac implants. The cyber firm determined that they had significant cyber-vulnerabilities prompting St. Jude’s stock to fall 5 percent on August 25, 2016, the day the information was announced, St. Jude decided to sue stating that the claims were false. FDA ultimately agreed that the products were at risk, however, and released a statement saying as much.

While the St. Jude saga may be remarkable, the threat of similar manipulation of the stock market by way of security research continues. In February of this year, the Securities and Exchange Commission (SEC) warned that cybersecurity risks in general pose “grave threats” to investors. “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century. Cyber security incidents can result from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states, and ‘hacktivists,’” the SEC explains.

Most blackhat hackers tend to focus on devices that are easy to target before devices with solid defenses. A fair number of medical devices — especially legacy medical technologies — have relatively weak defenses. Some, for instance, use outdated operating systems such as Windows XP that are favorite targets for hackers because they are straightforward to exploit. One of the most common medical devices in the hospital, the infusion pump, is often relatively easy to hack. Hackers can target medical devices to simply hone their skills or enslave such devices as a means to launch cryptocurrency mining operations that slow down medical networks while earning cryptocurrency for cybercriminals. The Decatur County General Hospital in Parsons, Tennessee was hit by such an attack last year.

Certain models of such pumps use a maintenance password, which may be, at worst, a default passcode that is never changed or a rarely updated one. A substantial number of medical devices — approximately 300 from roughly 40 vendors — use hard-coded passwords, according to security researchers Billy Rios and Terry McCorkle. When it comes to medical devices such as infusion pumps, the strategy for securing such devices with methods such as regular over-the-air updates or traditional malware protection are just not feasible. In theory, an over-the-air (OTA) update with an inadvertent software bug could injure or even prove fatal for a patient whereas installing traditional malware software could interfere with the pump’s operation.

While the threat of targeting a medical device to maim or kill patients receives a fair amount of attention from writers — whether they work for journalistic outlets or in the film business, this threat tends to be more theoretical than actual. That said, celebrities or politicians may be at a heightened risk for such attacks. Former VP Cheney reportedly had his pacemaker’s wireless functionality turned off out of fear that a hacker would meddle with it. While the risk of hacking pacemakers has received considerable attention, the sheer variety of medical devices opens up nearly infinite types of attack types.

But a recent report from the Star Tribune also notes that there are currently no known reports of a medical device hacked to harm a patient. That said, the risk of such attacks is real. Suzanne Schwartz, Director, FDA Center for Devices and Radiological Health has said: “Network-connected/configured medical devices that are infected by malware can disable a device from performing its clinical function. This, in turn, could lead to a patient safety concern.” Imagine the risk that, say, a hacker-controlled cardiac rhythm management device might pose to a patient. In 2012, the late security researcher Barnaby Jack discovered that pacemakers from a number of manufacturers could be exploited to deliver a fatal 830-volt shock to a patient from an up to 50-feet distance.

What’s more, it is not apparently all that difficult for a security researcher or a cybercriminal to obtain medical devices for research, potentially learning how to program control medical devices or how to breach them to gain access to patient data

A fair number of medical devices can be purchased through unofficial channels. The website eBay, for instance, sells devices used to program cardiac rhythm management devices. Examples include Boston Scientific’s Zoom Latitude and Abbott Laboratories’ Merlin.

While the medical device industry is coming to grasp with the rising cybersecurity threat, the explosion of IoT capabilities increases the medtech attack surface. The increasing numbers of medical-device-focused attacks point to the need to verify the identity of all parties involved in the healthcare ecosystem — whether patients or clinicians while, just as importantly, encrypting of personally identifiable information.

Public Key Infrastructure (PKI) is a vital defense  for mitigating the risk of connected medical devices, creating a security framework for sharing sensitive medical data between trusted endpoints and a gatekeeper the hacker must face before causing potential havoc. PKI also provides cryptographic agility, enabling medical devices to scale, securely over time while allowing secure device and firmware updates. By both authenticating and encrypting information, only the holder of both private keys can gain access to the data. Each device needs its own unique PKI generated certificate. Not only does it provide added security for the company but it means that the hacker needs considerably more time to do widespread damage.  More to the point, an in-house PKI is extremely cost effective and can be entirely customized to the consumer’s needs. That allows for an easy transition in the medical industry on a case-by-case basis.

As IoT-enabled devices become a part of the norm, the healthcare community is entering a brave new world for both its patients and doctors. Without foresight that new technology could turn into a Pandora’s Box. Imagine that you or a loved one recently fell ill and are lying in a hospital bed. The last thing you want to worry about is a hacker hell-bent on breaking into a medical device designed to be life-saving rather than life-threatening. The medical device industry needs security experts like yourself to step up and play a role in helping keep cybercriminals from breaching IoT-enabled medical devices and hospital networks.

It’s a sad fact that medical devices and hospitals are at risk of attack, but that is the case. While it may not seem like we are at war yet, tales of hacked medical devices and hospitals are growing, making preparation for more-sophisticated attacks a vital consideration. As Navy SEAL Brandon Webb once stated: “It’s a huge edge, sometimes life-saving, to adopt a good idea early and put it into practice.” That idea is just as true for cybersecurity as it is for preparing for war.