Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.
“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
Erven works as head of information security for Essentia Health, which operates about 100 facilities–including clinics, hospitals and pharmacies–in Minnesota, North Dakota, Wisconsin and Idaho. Essentia decided to open its facilities to a full-scale evaluation in 2012, and in a remarkable and laudable move, allowed Erven to publicly reveal some of his findings.
Although Erven and his team don’t know whether any of these devices are connected directly to the internet–they plan a subsequent test to determine this–many of them are connected to internal networks accessible via the internet. Hackers could gain access to the devices by infecting an employee’s computer via a phishing attack, then exploring the internal network to find vulnerable systems. A hacker who happens to be in the hospital could also simply plug his laptop into the network to discover and attack vulnerable systems.
“There are very few [devices] that are truly firewalled off from the rest of the organization,” he says. “Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”
“We had management backing to see what our risk exposure is across all health care systems,” he says. “We tested every single device in our environment–various radiology stuff and MRIs, ultrasound and mammography systems, cardiology, oncology. We tested all of our lab systems, surgery robots, fetal monitoring, ventilators, anesthesia.”
One of the main problems they found lay with embedded web services that allow devices to communicate with one another and feed digital data directly to patient medical records.
“A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record … so you would get misdiagnosis or get prescriptions wrong,” he says. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”
Erven says an attacker can collect data passing from medical devices to patient records, then replay it so that the same data gets passed into other records.
They also found problems with refrigeration systems for blood and pharmaceutical storage and cryogenics that aren’t protected.
“They all have a web interface that allow you to set the temperature range,” he says. Although he says the systems include email alerts and wireless pagers that notify lab and hospital staff if the temperature falls outside certain boundaries, the systems are only protected by hardcoded passwords, and once in the system, an attacker can turn off the email pager notification features or alter the settings to change when an alert is sent.
Storage systems for X-rays and other images were equally vulnerable. Erven says the images are generally backed up in centralized storage units that require no authentication to access. While some of the front-end systems that physicians and other staff use to access the images do use hardcoded passwords and log who accesses the images, Erven says the backup is completely unprotected “and there is no logging if you go in the backdoor way and grab those images.”
They also found surgery robots connected to internal networks. Although the robots generally have software firewalls to block connections to them, Erven and his team found that simply running an off-the-shelf vulnerability scanner against the firewall caused it to turn off and fail open.
“But we haven’t figured out yet what we can do once those fail open,” he says.
The Worst ProblemsSome of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.
With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.
Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.
That’s not the case with implantable defibrillators, however, which could be targeted.
“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”
A fictional defibrillator attack had a prominent role in an episode of the TV show Homeland in 2012 but the risks of such an attack are real. Physicians for former Vice President Dick Cheney had the wireless capability of his defibrillator disabled in 2007 to prevent terrorists from conducting such an attack to kill him.
Although the picture of hospital equipment that Erven and his team uncovered was gloomy, there was one bright spot among all the bad news — anesthesia equipment and ventilators are generally not networked and don’t allow web administration, so someone would have to have physical access to the devices to alter them.
Hospitals Are Unaware of the DangersErven says that the health care industry is just now waking up to the security problems with medical equipment, and that the problems exist because medical equipment has only ever been regulated for reliability, effectiveness and safety, not for security.
“The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the [Federal Drug Administration],” Erven notes. “There’s no security assessment before it goes to market.”
Last spring, the FDA and DHS issued a notice to the health care industry about problems with hard-coded passwords in medical devices after two researchers found them in about 300 medical devices, including ventilators, pumps, defibrillators and surgical and anesthesia devices.
The alert advised health care facilities to examine their systems for problems and put controls in place to protect them from unauthorized users. But Erven says health care facilities can only do so much to wall-off devices; vendors must do more to secure the devices with encryption and authentication before they sell them to customers and fix the ones that are already in the field. FDA guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched, and customers should demand they do so.
Although vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, Erven points out that the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.