HIPAA For MSPs by David Sims Medical Device Security
00:00:00 00:00:00

There has been a lot of news and industry discussions about Medical Device security. Medical Devices are just like a computer, so they also need security to protect the information on them.

How Real Is The Threat To Patients?

In 2001, a Medtronic insulin pump was hacked by a cybersecurity researcher and remote control of the device was gained. Similarly, security experts proved that they can cause some medication pumps to deliver fatal insulin doses from up to 300 feet away.

A catheterization lab in New Jersey had to close down temporarily because its computerized devices were infected with malware. In July 2015, both the US Department of Homeland Security and FDA warned hospitals not to use a Hospira Symbiq infusion pump because of a security vulnerability that allows hackers to gain remote control of the system. And John Halamka, MD, CIO at Beth Israel Deaconess Medical Center (BIDMC) in Boston, reported a breach to federal authorities that involved a medical device. As he explained in the account, the breach occurred “when a medical device manufacturer removed our hospital provided security protections in order to update a device from the Internet”.

Infection happened almost immediately

It took about 30 seconds for the unprotected device to become infected and transmit data over the Internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. “We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.”

We see cases with old XP computers running devices for several reasons.

You can’t get rid of the operating system because it is the only way to read x-ray reports on a device. The cost to upgrade to the next release is $20,000. Older devices that still run XP code and have to be replaced because the vendor didn’t come up with a way to upgrade them.

Why does XP matter so much as the reason for these breaches of Medical Device security

XP has been a dead operating system for 2 years. XP was part of an OCR resolution already, when a provider downloaded “sample policies and procedures”, otherwise known as template policies and procedures, and never followed them. Also, unpatched Windows 7 machines are just as bad as XP. You need to stay current with you software patches and updates to ensure your medical device security.

TrapX report, Medical Device Hijacking

TrapX leaders include two military guys, the Israeli Air Force, and US Marines, among other security experts. They specialize in deception technology feeding labs that research cybersecurity threats, and they receive millions in funding from venture firms. They have an attack series that watches how attacks play out on medical devices, coined MedJack (medical device hijack) in their May 2015 report. Now, they have added MedJack.2 which is a further evolution of what they are doing with these devices.

There were three new case studies of hospitals in the new report. They found a multitude of back doors and botnet connections, all working under the control of attackers. The 2008 Microsoft Security Bulletin for XP lists the exploit used in attacks. A HIPAA Journal calls it an ancient exploit. The malware propagated by the attackers was not detected by the customers endpoint security software. Windows 7 and later versions had eliminated the vulnerabilities so security software wouldn’t necessarily alert to it, which allowed it to keep looking for older versions of Windows. Therefore, the attacks are specifically targeting medical devices because they seem to be aware that they do not have security software on them.

You will see from these case studies that the malware was able to gain a foothold within the older operating systems on the medical devices and avoid ANY detection in the standard IT endpoints or network solutions. It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack.

TrapX tools found the malware on one of them in 1 hour and the other two within a few days. Cyber-attackers know that healthcare institution networks are highly vulnerable due to medical devices which offer attractive “low hanging fruit.” This continues to place our most important healthcare institutions at high risk. Generally, medical devices are managed by the manufacturer’s own technical team, not the hospital’s IT team, so no one is watching properly.

TrapX Case Studies

Components found to be the source of heavy attacker activity:

Hospital #1:

The first hospital used two vendors, each of them running devices for different clinics.

Vendor A – Radiation Oncology system
Vendor A – LINAC Gating system
Vendor B – Fluoroscopy Radiology system

XP workstations were running the radiation oncology systems.

Hospital #2:

Hospital 2 used a different vendor than the previous two.

Vendor C – PACS System

The malware attacked through an MRI device that had to be returned to manufacturer to get cleaned because there was no other way to remove the malware from the system.

Hospital #3:

Hospital 3 was easily the most shocking of the case studies.

Vendor D – X-Ray machine

An old C-ARM x-ray machine was running a Windows NT 4.0 operating system which is even older than XP. Many people currently working in IT probably don’t know what NT is, much less how it works.