The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where the devices have known vulnerabilities that can be easily exploited by bad actors; and where administrators are not likely to notice malware running on the device as long as nominal operation is maintained (X-ray machines continue to take X-rays etc).
The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records. What better way to attack a system than to lie quietly on a network node with relatively-unrestricted lateral movement to other parts of the network?
What exactly is a bad actor likely to do after getting a foot-hold on the network? Any number of things:
- Move laterally to find patient records that can be used for identify theft or blackmail, especially public figures, celebrities, etc
- Steal research data for financial gain
- Deploy ransomware like Cryptolocker, effectively crippling the facility unless a bribe is paid
- Trigger widespread system malfunctions as an act of terrorism
- Carry out a 'hit' on a specific patient
Without a doubt, there are more activities that could be carried-out by a bad actor, the five listed above are just examples.
The first three items are strictly motivated by financial gain, and this has been the extent of observed attacks to date. The fourth item seems possible but unlikely, either due to morals or the relatively-higher value of attacking other targets like power plants or defence facilities. The fifth item hasn't been detected yet, but that doesn't exclude the possibility that it has happened. Carrying out a silent assassination with malware would be very hard to trace back to the attacker, and could even be sold as a service, similar to DDoS as a service.
The scenario for number five sounds like something out of a Tom Clancy novel, but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure, and know where the procedure was to take place. One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult, but not impossible to know.
Real-world vulnerability
Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA up to 400 days ago about the vulnerability, and saw no response, so he went public to put pressure on the manufacturer to fix the issue. 400 days is an extremely-long grace period - recently some vulnerability disclosure periods have been as short as one or two weeks. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.
This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?
It's clear that installing antivirus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT is relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully, this challenge has already been solved in ICS and SCADA environments.
The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network
In a recently-profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system. The report details that the malware was detected, but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.
Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defense mechanism. Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network. This provides several benefits:
- When transferring the data to PACS, it could have been scanned for malware and even sanitised
- If the malware found its way onto PACS, exfiltration would be much harder or impossible if PACS didn't have an outbound internet connection
Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Think of the scrub area outside of an operating room. No matter how 'clean' the surgical staff thinks they are, they all invest the same amount of time scrubbing in before entering the OR. Furthermore, even after fully disinfecting their hands and arms, the surgical staff put on latex gloves to prevent the transfer of infections in either direction (to or from the patient). The medical industry is always innovating and improving their ability to prevent the spread of infectious diseases – the paradigm shift from miasma theory to germ theory ushered in a wave of new techniques and best practices. Even without being able to see or detect germs, medical professionals were able to prevent infection by employing preventive strategies that always assume the presence of germs.
Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment
Defending against cyber infections, by comparison, is much easier. The medical industry isn't alone in fighting this threat – they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.
Simply employing an air gap doesn't guarantee security, just as putting a scrub room before the OR doesn't stop viruses and bacteria. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access. In medicine these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It's not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected. The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed 'clean' can still be disinfected to completely eradicate the possibility of a threat doing undetected.