Cyber risk in medical devices is a topic that is belatedly gaining attention. FDA has been holding public workshops on this matter and companies are also being encouraged to actively assess cyber risk in connected devices.
This is a topic that will be explored in detail at the MD&M West Conference at the Anaheim Convention Center in California, Feb 9-11.
But a report highlighting medical device hijacking at hospitals might make people sit up and take notice.
TrapX Labs, a division of TrapX Security, published an Anatomy of an Attack report on the healthcare and medtech industry by analyzing three instances where medical devices were hijacked using malware at three separate healthcare institutions. The goal in all three is to use the device vulnerability to steal data from the hospital network.
What's even more alarming is that hospital personnel were not aware that the devices were infected with malware.
TrapX did not identify the institutions where the MEDJACK - the term it uses to describe the hijacking of medical devices - occurred, but found that devices involved were a picture archiving and communications system (PACS) in one healthcare institution’s radiology department, a medical x-ray scanner in the radiology department of a second institution and several blood gas analyzers in a third healthcare institution’s laboratory department that served critical care and emergency services.
TrapX Labs personnel also found that once the malware was removed, these same devices could be re-infected very quickly. In these examples the attacks came from Europe and Asia Pacific.
Here's how Moshe Ben Simon, co-Founder & VP, TrapX Security, as well as general manager, TrapX Labs described the hijacking:
We use the term MEDJACK, or medical device hijack, to frame what we see as the attack vector of choice in healthcare. Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The MEDJACK is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution.
In the first analysis of blood gas analyzers being hijacked, TrapX security products installed in the hospital revealed the breach. The report describes this healthcare institution having strong security systems and experienced IT professionals.
TrapX acquired an older version of the product from Nova Biomedical - one of the makers of the blood gas analyzers hijacked in the hospital - to test its vulnerabilities and found that data was not encrypted. The report goes certain lengths not to assign blame on the manufacturer noting that "medical devices are FDA approved devices and additional software for cyber defense cannot be easily integrated internal to the device –especially after the FDA certification and manufacture."
Still, the report does charge more generally that, "We have observed that in some cases, the medical device manufacturer technicians are not trained or skilled sufficiently to handle complex security issues within an installed unit and prefer to instead replace the unit."
After running tests on an older version of a Nova Critical Care Express unit, TrapX professionals found that once hijacked, measurements could easily be manipulated even though in the hospital attack that had not occurred. Rather the device was used as a backdoor to enter the hospital network and gather information such as passwords.
In the second instance a picture archiving and communications system (PACS) had been hijacked at another hospital unbeknownst to hospital IT staff. This had occurred when a user within the hospital network had visited a malicious website. Finally, the third instance involved an X-ray system within a lab becoming infected with advanced malware.
The main source of the problem seems to be that per FDA requirements, medical devices are closed systems and hospital staff cannot install 3rd party software on them.
So given the vulnerable ecosystem, what's to be done? TrapX has specific recommendations for healthcare institutions. Here are the top three:
- Implement a strategy to rapidly integrate and deploy software fixes and/or hardware fixes provided by the manufacturer to your medical devices. These need to be tracked and monitored by senior management and quality assurance teams.
- Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections. Conduct quarterly reviews with all of your medical device manufacturers.
- Implement a strategy to review and remediate your existing devices now. We estimate informally that many of these are likely infected and creating additional unknown risk for your institution and your patients.
The implication is clear. The onus is on hospitals and healthcare systems to push device makers to do more to make their devices more secure as they do not have access to the devices' operating systems. Here's Simon advising hospitals:
Trapx Labs strongly recommends that hospital staff review and update their contracts with medical device suppliers. They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyber attackers are using the devices.
However, FDA also has a role in cybersecurity of devices and the report suggests that it can do more.
"The FDA also needs to consider taking the initiative to further spell out the responsibilities of the medical device manufacturers if and when dangerous malware infections such as the MEDJACK attack vector are suspected. Government intervention may be a necessary part of the solution to remediate and resolve MEDJACK," the report declared.
What becomes increasingly clear in the report is that bad actors are currently hijacking medical devices to acquired passwords that can be sold for top dollar but it is perfectly possible to actually manipulate these devices with disastrous results for patients.
Two sessions at the MD&M West Conference, Anaheim Convention Center, Feb. 9-11, will address assessment of cyber risk