All Your Hospital Are Belong To Us.

Re-posted from intothecyberbreach.com, originally published on February 15, 2020.

This morning, I ran across a 2014 article on Wired.com, which goes on to explain that hospital medical devices and other related gadgets (what we would today call IoT or the “Internet of Things”), are shockingly easy to access via the wireless network, and vulnerable to abuse by would be hackers. For some reason, the article reminded me of an old meme from the early 2000s, hence the name of this post. I ended up down a bit of a Wired.com rabbit hole, which I figured I’d share with you.

Back in 2014, they reported on a study that found “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care….” as well as discovering “they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.”

I assumed that given the article was almost six years old, the security situation in hospitals would be markedly improved. My initial research has not borne that out exactly. By 2017, Wired was reporting that “Medical Devices are the Next Security Nightmare.” A little weird, if you ask me, since they identified the issue three years earlier, but I digress. Wired reported that while the FDA has begun providing guidance on cybersecurity concerns, they also noted that a significant percentage of medical devices were running on outdated operating systems or technology that is no longer supported with security patches, and has already gotten through FDA approval and into common useage. Instances of Windows XP (which was released in 2001, almost 20 years ago) were found running major hospital computers and connected to various devices (they cited an average of 10 to 15 connected devices per bed, with a large hospital having up to 5,000 beds). FDA certainly has stepped up its cybersecurity game since 2017, and they offer great cybersecurity resources for the medical community here.

Fast forward to 2019, Wired reported on a newly discovered vulnerability on devices that have been in use in hospitals for nearly 20 years. The problem, as put by one cybersecurity analyst, is that “once you identify what is vulnerable, how do you actually update these devices? Often the update mechanism is almost nonexistent or it’s such an analog process it’s almost like it’s with a screwdriver. It’s not something that can be done at scale. So I don’t know if it will ever be accomplished to update all of these machines.”

But its never enough to just identify the problem and put our hands in sky. HIPAA has long required notification for security breaches of personally identifiable health information. But newer data privacy laws like NY SHIELD, CCPA and GDPR take data security a step further by expanding the definition of protected private information. For instance, NY SHIELD considers a username and password combination to be protected private information that businesses are required to safeguard. For all of the efforts complying with HIPAA, healthcare organizations at risk of noncompliance (pronounced, “law enforcement”) in regards to state data privacy laws.

So, the good news is that the FDA is aware of the issue, and there appears to be somewhat less of a “wild west” attitude towards IoT medical device security. The bad news is that 2020 is predicted to be a banner year for ransomware and medical device cybersecurity concerns generally.