The Difficulty of Gauging Health Care Cybersecurity Risk
While the threat of hacked medical devices has drummed up headlines, the bigger health care cybersecurity threat is likely commodity malware.
In 2016, the cybersecurity division of the U.S. Department of Homeland Security released a warning that a class of medical devices had a whopping 1,418 vulnerabilities. Admittedly, the devices in question were end-of-life versions of BD Pyxis SupplyStation health care inventory management system. But this extreme example points to the type of collision course that can occur when complex software and connectivity drive core medical device functionality.
DHS reasoned that an adversary of low skill could successfully attack the aging Pyxis devices. And over the past decade, security researchers have proven dozens of medical devices, from pacemakers to infusion pumps, are at risk of a cyberattack. Austrian cybersecurity researcher Tobias Zillner, for instance, revealed that a St. Jude Medical pacemaker model produced until 2017 could be hacked using a 2000-era cell phone and the device could be incapacitated within three hours by draining the battery via a cyberattack. A firmware update was later made available to harden that device…
It’s not just older systems that are at risk. The company Attivo Networks, which uses deceptive tactics to identify network threats, also observed malware on brand-new connected patient monitoring devices loading malware onto decoy devices. One of its customers, a health care company with more than 15,000 employees, discovered the problem on a segmented network, said Attivo’s Carolyn Crandall, whose de facto title is chief deception officer. “Nothing should be able to get on or off that network. The software on the patient monitoring devices came in factory installed. So here, you have an issue with the supply chain,” Crandall said.
While acknowledging this event to be “one of the more extreme examples” of a health care breach, Crandall said Attivo has documented numerous attacks on health care institutions. The people behind such breaches are often looking for personal health information or information from research labs, Crandall said. “And they are looking for the weakest link in your infrastructure to get there, whether it is a medical device or a connected laboratory microscope.”
While medical device hacking is a topic that has received a substantial amount of attention over the years, medical lab environments “come with security risks related to data tampering which could impact patient care or device operations,” Crandall added. They could give attackers access to sensitive intellectual property, or could cause chaos that leaves lab technicians at greater risk of being exposed to hazardous materials. “As such, medical lab hacking could be for the intent of nefarious actions, however, it is more likely a way to gain access to other systems,” she explained. Attivo Networks researchers haven’t detected tampering with conclusive intent to directly harm. But Crandall says an underappreciated security concern is the possibility of hackers looking for health information on celebrities or dignitaries who intend to sell or drive media interest in their diagnoses or treatment information. “We have also seen instances of unauthorized laboratory activities […] from a curious student trying to learn outside of a sanctioned curriculum,” Crandall added.
Medical devices, which often have long life cycles, can provide an on-ramp for hackers to health care networks. Traditional IT security strategies such as installing software agents to monitor the devices are impossible given prohibitions on modifying code on medical devices that haven’t been cleared by regulatory authorities.