[BreachExchange] Medical Devices Are Ubiquitous, Vital, And Often Unsecure

[Audrey McNeil]

https://www.houstonpublicmedia.org/articles/news/2019/12/26/354400/medical-devices-are-ubiquitous-vital-and-often-unsecure/

When Jay Radcliffe hacked his own insulin pump on stage at the Black Hat
cybersecurity conference in 2011, the room filled with applause. Diagnosed
with type one diabetes at age 22, he had just demonstrated how a bad guy
could really mess him up.

“You could give me insulin right now, without my authority,” he said from
the stage.

At the time, very few had shown how lax the security of these medical
devices were.

“I wrote a program that would turn off my insulin pump and change the
therapy settings without the user knowing it,” he said in a recent
interview. “It turned into this very, very big thing.”

For years, device manufacturers assumed doctors and technicians would be
the only ones interested in these devices. But it quickly became clear this
was just the beginning.

As the healthcare industry becomes increasingly connected to deliver
real-time data, monitoring and new therapy options, it isn’t just the
implantable pacemaker or insulin pump with problems.

The bedside patient heart monitor and anesthesia machines, the lab CT
machine and hundreds of other health devices of various purposes, operating
systems and connectivity are all open targets — threatening patients and
creating a massive attack surface for bad guys.

Between 2016-2018 there was a 400% increase per quarter in cybersecurity
warnings from manufacturers. It could reflect companies being more
transparent after the U.S. Food and Drug administration released new
guidance for medical device manufacturers in 2016.

Back in 2011, “transparent” isn’t how Radcliffe would describe them. And
they were ill-prepared for outsiders like him saying, “Hey, you got a
problem here.”

“They weren’t very responsive. They didn’t return my phone calls,” he said.
“They didn’t have a process or procedure. If there’s no process (with these
big companies), it’s kind of paralysis.”

Companies could threaten hackers with copyright infringement lawsuits when
they exposed vulnerabilities. The space was so bad that many in the field
thought something dire would have to happen before things changed,
including Josh Corman, an ethical hacker.

“I said, ‘Guys, I’m not going to lie to you, people have to die first. No
one is going to listen until we have our first confirmed kills,’” said
Corman, at the CyberMed Summit in November, talking about how hopeless some
early security researchers were in the space.

Worst-Case Scenarios

Just a building over from Corman’s talk on the University of California San
Diego’s campus, a man on a stretcher would later be rolled into a bright
white hospital room by emergency medical technicians.

“Seventy-three year old male, he’s got left sided weakness, right sided
facial droop,” the tech said before rattling off a series of vitals.

Medical personnel led by Dr. Rahul Nene worked to diagnose Patrick, who’s
been paralyzed on his left side for three hours. After asking about his
medications and an assortment of other questions, Nene thinks he knows what
to do.

“Were gonna start with a CAT scan of your head. I’m worried that you may be
having a stroke,” said Nene.

“What?” replied an alarmed Patrick.

The doctor repeats himself and before long Patrick is sent to get the CT
scan that will answer one critical question, is a bleed or a blockage
causing the stroke. Nene can treat the blockage with a clot buster called
TPA. But that would mean possibly grave consequences for a bleed.

Then disaster strikes.

“Attention clinicians!” blared the PA system.

The announcement: The CT scanner along with several other critical systems
are taken offline by what Dr. Nene will later learn is a ransomware attack.

“Please resort to paper record keeping,” said the disembodied voice.

“Oh, well that’s going to make things a little bit more difficult,” Nene
said.

The only test that could tell the doctor how to treat Patrick is offline.
Every minute he goes without treatment, his oxygen starved brain is dying.

Fortunately, this is just a simulation. Everyone other than Dr. Nene knew a
cyber attack was coming.

Upstairs a couple hundred medical device manufacturers, doctors and
security researchers watch the scene unfold live.

Narrating the scene was Dr. Christian Dameff, who along with Dr. Jeff
Tully, one of the people assisting Dr. Nene on screen, organized the
summit.

“Because they can’t take care of this patient, they actually have to
transfer them to another hospital, again this is wasted minutes,” said
Dameff.

The simulation is meant to show how reliant doctors are on technology,
especially internet connected devices that can be hacked. And how
ill-prepared they are for worst-case scenarios.

Keeping Up With Devices

There are currently no deaths linked to medical device hacking, but — as
the demonstration showed — we might not know it if there was.

“Doctors and nurses don’t know about it (and) aren’t looking for it.
Hospitals do not have the security resources that they need to even detect
some of these attacks. Device manufacturers have little incentive to do
deep forensic analysis because it may lead to a huge issue with them,”
Dameff said.

Dameff, who is the medical director of cybersecurity at UCSD, said most in
the healthcare industry only thinks about cybersecurity in terms of data
and HIPAA fines, which will cost providers an estimated $4 billion this
year.

The threat for medical devices is less from bad guys and more from
unintended malware that slows devices down and endangers patients he said.

Things like 2017’s Wannacry ransomware attack that crippled one-third of
hospitals in the U.K., or the recent spate of cryptojacking that have
turned some hospital machines into bitcoin miners like at Decatur Memorial
in Illinois.

“I don’t think there is an army of psychopath hackers out there that are
ready to do that. Instead, I think we have a far more boring but realistic
threat. It’s unintentional spillover effects,” he said.

Officials with the Food and Drug Administration didn’t wait for someone to
get hurt to act.

After getting rapped on the knuckles a decade ago by the U.S. Government
Accountability Office for not guiding medical device manufacturers on
cybersecurity, the FDA has released multiple pieces of guidance to increase
cybersecurity in the field with new, more stringent iterations on the way.

Security researchers TPR talked to agreed these efforts are better on new
devices — with some still thinking too low — but manufacturers may be on
the right track.

That said, this is a decade-long effort and addresses an issue touching
thousands of manufacturers, tens of thousands of hospitals and millions of
patients.

So, new devices are making progress, but what about the older ones still
being used in hospitals?

“We’re years behind the attackers in many cases when it comes to ID’ing
these vulnerabilities and patching these devices,” said Adam Nunn a
consultant for Clearwater Compliance who has worked in hospitals for more
than 20 years.

A recent survey showed about 96% of IT professionals agreed that medical
security was not keeping up.

Even when companies do have updates for products, he said average hospitals
have tens of thousands of connected devices.

Paired with the fact that most medical facilities don’t have a full-time
cybersecurity person, Nunn said hospitals often can’t keep up with security
updates.

“You remember the old cartoons where there’s a dam and somebody’s trying to
plug up the hole and holes keep opening up? It’s kind of like that,” he
said.

Suzanne Schwartz is deputy director of the Office of Strategic Partnerships
and Technology Innovation at the Food and Drug Administration. She calls
these older, legacy devices the last mile problem because they were so
expensive and can be hard to update.

“Yeah, the legacy (device) challenge is an extraordinary challenge because
of the many factors that are involved, economics being a significant one…,”
she said.

The FDA wants more power to increase cybersecurity and require that devices
collect more data. A federal task force recommended creating a
cash-for-clunkers program to incentivize hospitals toss old devices.

And that doesn’t include the lifecycle of devices.

If it takes five years to design a product, and say a pacemaker is designed
to last around 10 years, the industry is years away from addressing
vulnerabilities discovered today.

Don’t Know What We Don’t Know

In July the Department of Homeland Security pushed an alert on a series of
vulnerabilities found on what would grow to 2 billion devices from medical
to industrial control systems.

Armis, the security firm, discovered the so-called “Urgent/11” security
flaws that could let someone remotely take over many devices built on the
massively popular VxWorks connectivity software. Regardless of many normal
network protections, they could take over the device, or use it as a
springboard for an even larger network attack.

The FDA played a pivotal role in getting manufacturers to investigate
whether they were affected.

“Their outreach was very significant and the alert that the FDA sent out
really made the difference,” said Ben Seri, Vice President of research for
Armis.

With the help of the FDA, Armis and a major manufacturer determined that
one million bedside drug-infusion pumps were affected by the Urgent/11
exploits.

The FDA’s collaborative approach convinced some manufacturers to listen to
hackers.

That’s a far cry from eight years ago when security researchers felt they
had to get on a stage and “do a live demo of a hack in order to get the
attention and to get some action from the manufacturer,” according to
Schwartz. “We’re in a very, very different place now.”

But most Americans don’t know much about this issue. And Jay Radcliffe says
consumers of medical devices aren’t likely to be able to keep up.

“Companies with big budgets can’t keep laptops up-to-date. How are the
consumer or patient going to keep up with patching their refrigerator,
their toothbrush their pacemaker, their insulin pumps?” he asked. “It’s a
very daunting challenge.”

Radcliffe who now works for a medical device company that builds mostly lab
equipment. And despite the risk he sees in the industry, he said, it’s
still well outweighed by the reward of his insulin pump and many other
devices.

“You know, yes, there’s some risk. But ultimately when I look at my health.
I can’t not get these tests. I can’t not have these treatments,” Radcliffe
said.

Unlike many patients in the U.S., however, he is at least aware of those
risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191226/f8ccf526/attachment.html>