Hijacked medical devices can leave networks exposed
Because these devices haven't been designed with security as a priority, they have proven readily hackable. Beyond the immediate risk to patients, compromised connected devices can be used as a way to undermine other devices and steal valuable data, according to a report from TrapX.
The problem is compounded by Food and Drug Administration (FDA) restrictions that limit adding security to these devices, uncertain cooperation from vendors who make them and the attractiveness of medical information as a target, the report says.
Once compromised, these devices can be used to launch broader attacks against host networks. Because it may be difficult to detect malware on these devices, the malware can survive efforts to clean up the broader attacks. Then the hacked device can serve as a backdoor to launch further incursions. "The whole idea is to maintain persistence in the target environment," says Greg Enriquez, CEO of TrapX.
Finding this malware and cleaning it up is made difficult by FDA rules that require these systems to be closed. "As FDA certified systems, they are not open for the installation of additional third-party software by the hospital staff," according to the TrapX report, so monitoring software can't be added. "You cannot easily detect malware on a system which you cannot scan."
The devices investigated by TrapX were critical to delivering healthcare, making it difficult to schedule time for remediation. "The outgoing IP addresses can be shut down, but removal of the malware is a tricky proposition," the report says. "Hospitals really don't want to impact the operation of these systems they depend on these medical devices on a 24 hour, 7 day per week basis."
The very presence of these devices in networks may make the networks less secure, and attackers are drawn to these networks by the medical information they contain. "For all of these reasons we expect targeted attacks on hospitals to increase throughout 2015 and 2016," the report says.
The TrapX report details three medical-device hacks at facilities it does not name for reasons of confidentiality. One involved blood-gas analyzers in a lab being used as a backdoor into the network. A second details the compromise of picture archive and communications system (PACS) that stores radiology images and makes them available to doctors and so is very well connected within the network. The third involved a backdoor installed in an X-ray system.
The FDA is aware of these issues with medical devices and has said it will waive restrictions on some types of medical devices. In particular, as of February 2015 it is loosening up on regulations for medical device data systems (MDDS) such as the PACS described in the TrapX report.
The FDA didn't do away with the regulations, it just stated that it won't enforce them, which means that from a network security standpoint, hospitals have more freedom to alter them in order to better secure them as network-attached devices. Even if those alterations adversely affect their functioning, the danger to patients is low, according to the FDA reasoning.
As part of its investigation, TrapX showed how it could compromise a particular blood-gas analyzer and use it to pivot to other devices on the target network. The NOVA Critical Care Express was the device, which used Windows 2000 as its operating system.
Enriquez says that he hasn't seen it in practice, but ransomware criminals targeting common operating systems could go after medical devices that use them, encrypting them and demanding payment for keys to unlock them.