SoS Musings - Cyberattacks Against Medical Devices: A Life or Death Problem
By grigby1
Cybercriminals are increasingly focusing on medical technology. The purpose of medical technology is to save lives and enhance the quality of life, as it is used in the diagnosis, monitoring, and treatment of a wide variety of serious and minor illnesses and injuries. However, as the connectivity of the healthcare industry grows, hackers are increasingly enticed to target medical devices. In addition to increased connectivity, the healthcare sector has valuable data and inadequate security practices, which significantly contribute to the rise in medical device targeting among cybercriminals. Different types of medical devices have been found to be vulnerable to cyberattacks that threaten healthcare operations, potentially impacting the safety and privacy of patients.
A Proofpoint and Ponemon Institute survey found that 66 percent of healthcare organizations that have been affected by the most common types of cyberattacks (i.e., cloud compromise, ransomware, supply chain, and Business Email Compromise (BEC)) reported disruptions to patient care. Fifty-seven percent reported poor patient outcomes as a result of delays in procedures and tests, 50 percent reported an increase in medical procedure complications, and 23 percent revealed an increase in patient mortality rates. These numbers suggest that healthcare organizations have made little progress in mitigating the threat of cyberattacks to patient safety and well-being.
Security is not always a top priority when developing medical devices. As cybersecurity researcher Alex Vakulov pointed out, many medical devices are easily connected to the Internet, have simple passwords, or sometimes do not require passwords. The absence of security is a significant problem because it allows hackers to compromise the devices, infiltrate hospital systems, and execute malicious software. According to a report published by Cynerio in 2021, ransomware attacks on healthcare facilities increased by 123 percent, costing over $21 billion for more than 500 attacks. The Internet of Medical Things (IoMT) is a special branch of the Internet of Things (IoT). IoT involves different types of devices, such as smartphones, wearables, and industrial sensors, whereas IoMT focuses on medical devices. Both IoMT and IoT devices use cloud-based storage and Artificial Intelligence (AI)-powered communication to share data. IoMT devices go a step further by helping healthcare professionals assess, diagnose, treat, and keep track of patients' conditions. Cybercriminals target IoMT devices and systems to steal sensitive data, which they may hold for ransom or sell on the dark web. Security flaws in medical devices widen the attack surface, providing hackers with more entry points. Some examples of typical problems include poorly managed access controls, outdated systems, poor security patch management, and vulnerable open-source software elements.
The 2022 State of Healthcare IoT Device Security Report by Cynerio reveals that more than 50 percent of the Internet-connected medical devices analyzed by the company had a known vulnerability. The finding came from analyzing over 10 million medical devices at more than 300 hundred hospitals and medical facilities worldwide. According to the report, infusion pumps represent 38 percent of a hospital's typical healthcare IoT footprint, and about 73 percent have a vulnerability. Infusion pumps deliver medication and nutrition into a patient's circulatory system in clinical environments. Security vulnerabilities in such devices could compromise patient safety, data confidentiality, or service availability if they were exploited by an adversary. For example, multiple security flaws were found in Baxter's Internet-connected infusion pumps that could result in access to sensitive data and system configuration changes, according to the US Cybersecurity and Infrastructure Security Agency (CISA). Rapid7 researchers found the four vulnerabilities in Sigma Spectrum v6.x model 35700BAX, Sigma Spectrum v8.x model 35700BAX2, Baxter Spectrum IQ v9.x model 35700BAX3, and other Sigma Spectrum infusion systems. The exploitation of the vulnerabilities could result in a remote Denial-of-Service (DoS) attack, or allow an attacker with physical access to the device to extract sensitive information or conduct adversary-in-the-middle attacks. The vulnerabilities could also lead to the loss of critical Wi-Fi password data. Baxter cautioned that these issues could cause therapy delays and interruptions.
The FBI issued a warning about hundreds of vulnerabilities in widely used medical devices that could facilitate cyberattacks. The FBI’s Internet Crime Complaint Center (IC3) identified a growing number of vulnerabilities posed by unpatched medical devices operating on outdated software and devices lacking adequate security features. Insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps were found to contain vulnerabilities that malicious hackers could exploit to take control of them, manipulate readings, cause drug overdoses, and more. According to the FBI, most vulnerabilities in medical devices derive from poor device hardware design and software management. Common challenges include a large number of managed devices on the network, an absence of device-embedded security features, and the inability to upgrade those features. The FBI emphasized that some healthcare facilities have used medical device hardware for over 30 years, providing cybercriminals and nation-state actors with much time to find and exploit vulnerabilities.
Brainjacking, the hacking of surgically implanted devices in a human's brain, is a growing concern among cybersecurity experts. This type of cyberattack involves a hacker gaining unauthorized access to a human body's brain implants, also called neural implants. If an attacker hacked implanted devices in a human brain, they could control the patient's cognition and functions, thus posing a significant threat to the patient's well-being. Brain implants are microchips connected directly to a human's brain to establish a Brain-Computer Interface (BCI), which allows brain activity to be used to control a computer. This technology is important for people whose brains are dysfunctional because of medical issues. The unauthorized control of neural implants was considered science fiction, but the growing advancements in medical technology have made the threat real. According to a study from the Oxford Functional Neurosurgery, medical implants are vulnerable to different cyber threats, potentially leading to implant battery drainage, information theft, tissue damage, impairment of motor function, and more.
The National Institute of Standards and Technology (NIST) announced a winner in its program aimed at finding an effective data defender for small devices, including implanted medical devices. Ascon, the winning set of cryptographic algorithms, will become the NIST's lightweight cryptography standard. The selected algorithms are supposed to protect information generated and transmitted by IoT devices, including its various tiny sensors and actuators. In addition to implanted medical devices, they are designed for other miniature technologies, such as stress detectors inside bridges and keyless entry fobs for vehicles. These devices require lightweight cryptography, which is protection that uses their limited electronic resources. According to Kerry McKay, a computer scientist at NIST, the chosen algorithms should be suitable for the majority of tiny technology forms. The Ascon family currently has seven members, and some or all of them may become part of the NIST's published standard for lightweight cryptography. As a family, the variants offer a variety of functionalities that provide designers with options for different tasks. McKay said that Authenticated Encryption with Associated Data (AEAD) and hashing are two of the most essential tasks in lightweight cryptography. AEAD preserves the confidentiality of a message, but it also enables the inclusion of extra information, such as the header of a message or a device's IP address, without being encrypted. The algorithm guarantees that all protected data is authentic and has not been modified in transit.
The National Science Foundation (NSF) awarded funding to a team of researchers at Virginia Commonwealth University (VCU) in support of a project aimed at improving the security of Internet-connected medical devices. The Principal Investigator (PI) of the VCU-based MedKnights project, Tamer Nadeem, Ph.D., explained that the project's focus is on IoMT devices. Nadeem and co-PI Irfan Ahmed, Ph.D., both associate professors in the VCU College of Engineering Department of Computer Science, were awarded $600,000 by NSF's Office of Advanced Cyberinfrastructure to develop a framework to improve the security of IoMT devices. All IoMT devices are at risk of facing ransomware attacks, DoS attacks, and other malicious hacker attacks. Building a test bed, which is an isolated hardware/software assembly mimicking the Internet-enabled hospital setting, is part of the MedKnights team's preparation for exploring malicious IoMT attacks. The test bed will include datasets based on typical IoMT device behavior, traffic, and known attacks. The MedKnights project will delve into vulnerabilities in various IoMT hardware and software by subjecting the elements of the IoMT test bed to different attacks.
A data security advancement discussed in the International Journal of Information and Computer Security could help improve medical device security. According to a team of researchers from Isra University, Iraq University College, and Al-Maaqal University, the Japanese puzzle known as Sudoku promises a cryptographic system for text information, which works even in situations where there is limited computational power. The approach could be applied to medical devices, remote sensing networks, smart cards, and Radio Frequency Identification (RFID) devices. The team demonstrated how the dynamic nature of the Sudoku puzzle could be used as the foundation of a secret encryption key or cipher to introduce a new approach to securing sensitive information. The researchers said the approach's dynamic nature can significantly improve the security of a system.
To continue developing or improving security strategies or mechanisms, healthcare providers, device manufacturers, and the security community must remain informed about the vulnerability of medical devices to cyber threats.
To see previous articles, please visit the Science of Security Musings Archive.