Networked medical devices

Are your medjacked medical devices preventing true HIPAA compliance?

Tod Ferran, Security Analyst at SecurityMetrics
By: Tod Ferran
According to Gartner, 26 billion objects will be connected to the Internet by 2020. Hundreds of thousands, if not millions of those will be networked medical devices. Recent studies show that hackers can easily compromise a healthcare organization through one of these devices. In fact, it’s been a method used by hackers for years.
Networked medical devices

It’s called medjacking, or medical device hijacking.

A networked medical device includes any device that has the capability of connecting to the Internet, which are generally separated into four groups:
  1. Consumer health monitoring (e.g., FitBit)
  2. Wearable (e.g., portable insulin pumps)
  3. Embedded (e.g., pacemakers)
  4. Stationary (e.g., chemotherapy dispensing stations)

Stationary devices are targeted

Although it’s scary to think about internally embedded medical devices hacked and altered, the large majority of hackers aren’t terrorists, they’re thieves. They want to make money by stealing mass amounts of patient data, and that’s why stationary devices are the group most at risk from cybercriminals.

Hackers are acutely aware that medical data (insurance information, social security numbers, etc.) is worth 20-50 times more than credit card data. If a hacker can somehow gain complete access to a networked device, they are only steps away from accessing valuable patient health data.

The HHS reported that 78% of physician practices have electronic medical records (EMR/EHR) systems, which are interconnected with the rest of the ecosystem. EMR systems are a hacker’s Holy Grail.

Here’s what I mean by stationary medical devices:
  • Medical x-ray scanner
  • Chemotherapy dispensing stations
  • Homecare cardio-monitoring
  • MRI machine
  • Bedside infusion pump
  • Anesthesia apparatuses
  • Medical ventilators
  • LASIK surgical machines
  • CT scanners
  • Picture archiving and communication system
  • Blood gas analyzer
  • Dialysis machines
  • Etc.
These devices are typically connected via hospital and healthcare facility Ethernet or Wi-Fi, but can also be connected to a business associate on a private network. The fact that they are connected to the network and potentially the Internet (or have the ability to connect to the Internet) means they are exposed to a giant ecosystem of hacker-influenced risks.

According to the FDA,  these devices “can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.” Not only do these vulnerabilities exist, but will increasingly worsen as more and more devices become interconnected.

Should you get an onsite HIPAA audit?

How do hackers hack healthcare devices?

A medjacking attack is designed to rapidly penetrate healthcare devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution.

Once an attacker gets into the network and bypasses existing security, he can infect a medical device and establish a backdoor within the device for later access.

Why does this problem exist? Healthcare devices have vulnerabilities. These vulnerabilities all boil down to a lack of security priority.

Manufacturers own the security process, but don’t place priority on security

Joshua Corman, CTO at Sonatye says that some medical device manufacturers, especially those with low budgets for cybersecurity, turn to open source code and libraries for security solutions. The problem is, they’re using “very old, known-vulnerable, highly exploitable code in their products.”
Medical devices hacking, also known as medjacking
According to the FDA, manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their devices, including risks to cybersecurity…but most don’t take that responsibility seriously.

Trapx Security found that most are managed solely by the manufacturer’s external technicians, and healthcare IT teams don’t have access to the system at all. That means healthcare providers are totally dependent on manufacturers to maintain security within the device. That’s why they are viewed as medical black boxes by healthcare IT and security teams.

According to The Healthcare Internet of Things: Rewards and Risks, some device manufacturers favor hard-coded passwords built into the system that can’t be changed. These passwords will be listed in the devices user manual, and can easily be found by hackers!

The medical device manufacturer isn’t the one who will have serious brand degradation if they get hacked – the hospital will. Have you heard of Fazio Mechanical Services? Probably not, and they were the vendor for Target that led to Target’s big credit card breach that we’ve all read about.

Subscribe to blog.securitymetrics.com

Cyber defense tools don’t work with medical devices

Trapx Security also found that users can’t install further security on network connected medical device systems because most security tools do not run within these devices. Not to mention, any software applied by the entity might be considered tampering with the device, and have a negative impact on FDA approval. It’s worth noting that the FDA has been very vocal about the manufacturer installing proper security tools.

The government isn’t cracking down on manufacturers or security

According to an article by Infosecurity-Magazine, a security researcher found and reported several vulnerabilities found in drug pumps to the Department of Homeland Security and eventually the FDA. He said, “over 400 days later, we have yet to see a single fix for the issues.”

If the government doesn’t crack down on medical device manufacturers, who will?

Healthcare devices are constantly in use

Many network-connected healthcare devices are used 24-7 by patients on life support. It’s difficult to arrange time to patch and fix devices when they’re in constant use. In addition to the reasons I’ve listed above, security problem resolution is delayed due to access to equipment, device scheduling, and access to manufacturer resources.

Keeping devices HIPAA compliant

If you have networked devices, you should probably prepare for the worst. You likely have HIPAA violations on your hands, stemming from your devices, which are potentially exfiltrating patient data right now.

According to PwC, the number of healthcare-related data breaches soared 60% from 2013 to 2014, almost double the increase seen in other industries. In March 2015, the Identify Theft Resource Center shows healthcare breach incidents as 33% of all total incidents.
If your medical devices aren’t safe, that means your organization isn’t HIPAA compliant either.

Preventing medjacking

In their report, TrapX Security concludes that, “The data stored within healthcare networks remains a primary target for attackers on a global basis. For all of these reasons we expect targeted attacks on hospitals to increase throughout 2015 and 2016. Our scientists believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years.”

They give some great recommendations on how to start to secure your networked devices from cybercriminals looking to jump into your system.

These are their seven most salient recommendations:
  • Remediate existing devices immediately. They are probably infected.
  • Strategize a way to quickly integrate and deploy software/hardware fixes provided by the medical device manufacturer.
  • Seek the advice of competent HIPAA consultants and bring them onsite to review your HIPAA compliance program. (Need a HIPAA audit quote?)
  • Only evaluate medical device vendors that value cybersecurity, allow you to modify your own passwords, offer frequent updates, and are willing to conduct quarterly reviews with you.
  • Manage access to your devices, especially through USB ports. Consider the use of one-way, new memory sticks to prevent them from infecting similar devices.
  • Isolate devices inside a secure network zone and protect them with an internal firewall that allows access only to specific services and IP addresses.
  • Don’t forget medical device end-of-life. If devices are no longer receiving updates from their manufacturers, or are just too old to deal with malware, get rid of them, remembering of course to securely wipe or destroy patient data on the device.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

From EHR Compliance to Total HIPAA Compliance