SoS Musings #42 - Medical Device Vulnerabilities: Healthcare is at Risk

SoS Musings #42 -

Medical Device Vulnerabilities: Healthcare is at Risk

The cybersecurity risk to connected medical devices has grown during the COVID-19 pandemic. Therefore, it is now more important than ever to bolster the security of these devices by addressing their vulnerabilities. The U.S. Department of Health and Human Services (HHS) reported a 50% increase in cybersecurity attacks against hospitals and healthcare providers' networks during the COVID-19 crisis, with hackers increasingly targeting medical devices as the number of hospital patients increases. A study conducted by researchers from Vanderbilt University and the University of Central Florida further solidified that healthcare cyberattacks can indeed decrease the quality of medical treatment provided to patients. The influx of patients during the pandemic, resulting in the increased use of healthcare devices, has expanded the attack surface for hackers, further heightening the threat posed to patient privacy and security.

There are several contributing factors to the vulnerability of medical devices to hacking. Based on Palo Alto Networks' analysis of 1.2 million Internet of Things (IoT) devices in thousands of healthcare organizations in the U.S., more than 80% of healthcare devices run on outdated operating systems, including Windows 7 and Windows XP. Medical equipment such as X-RAY machines, Magnetic Resonance Imaging (MRI) machines, and Computerized Axial Tomography (CAT) scanners have been found to be running on old, unsupported operating systems, leaving them significantly vulnerable to being targeted by cybercriminals. In addition to the continued reliance on outdated software, medical devices are often found to be configured with default passwords and left with open standard management ports. The vulnerability of medical devices leads to the manipulation of device functions, Denial-of-Service (DoS), remote code execution, and other attacks that could put a patient's life at risk.

There have been many discoveries surrounding the vulnerabilities associated with medical devices that threaten patients' safety and privacy. Researchers at the healthcare security firm CyberMDX uncovered two vulnerabilities in the Becton Dickinson Alaris Gateway Workstation used in hospital wards and intensive care units to run, monitor, and control infusion pumps. As infusion pumps are medical devices used to deliver specific doses of medicine such as insulin, painkillers, and more, continually or intermittently, any attack on these devices could put a patient's life at risk. The exploitation of one of the vulnerabilities discovered in the Alanis Gateway could allow attackers to remotely install malicious firmware on the workstation to adjust specific commands on the infusion pump, such as those that alter the rate at which drugs are administered to a patient. The U.S. Food and Drug Administration (FDA) issued an alert about a set of vulnerabilities named URGENT/11, stemming from a third-party software component that impacts medical devices and hospital networks. These vulnerabilities could be used by attackers to remotely take over devices, alter their functions, launch Denial-of-Service (DoS) attacks, leak sensitive information, and cause logical flaws. The FDA also raised awareness among patients, healthcare providers, and manufacturers about a set of cybersecurity vulnerabilities called SweynTooth that affect various medical devices with Bluetooth Low Energy (BLE), which may be pacemakers, blood glucose monitors, and ultrasound devices. Through the abuse of SweynTooth vulnerabilities, attackers can disable devices or access functions that should only be available to authorized users. Philips, a global leader in health technology, reported a vulnerability to the Cybersecurity and Infrastructure Agency (CISA) that was discovered in its ultrasound systems, which are used to produce pictures of soft body tissue structures to help in the diagnosis of various diseases and conditions. The vulnerability contained by Philips' ultrasound medical devices could allow an attacker to view or alter information using an alternative path or channel that does not require authentication, potentially leading to misdiagnosis. JSOF security researchers disclosed another series of security flaws, dubbed Ripple20, originating from a low-level TCP/IP software library that many IoT device manufacturers implement into their devices or use via embedded third-party components. Ripple20 vulnerabilities could also enable DoS, information disclosure, remote code execution, and device takeover. According to researchers, Ripple20 affects Baxter infusion pumps and other connected devices essential for providing medical care.

There are efforts from academia, industry, and other government agencies to bolster medical device security. Researchers at Purdue University developed a prototype device aimed at preventing remote hacks on medical devices by keeping these devices' signals from radiating outside the human body. This technology works via the facilitation of medical device communication in the electro-quasistatic range, which is much lower on the electromagnetic spectrum than Bluetooth communication. The Sensing, Processing, Analytics, and Radio Communication (SPARC) lab is working with the entities in government and industry to implement this technology into pacemakers, insulin pumps, and other medical devices. Researchers at the Ben-Gurion University of the Negev developed a new Artificial Intelligence (AI)-based method for protecting medical imaging devices such as Computed Tomography (CT), MRI, and ultrasound machines from malicious, abnormal, or anomalous operating instructions that may lead to a or indicate a cyberattack. Their technique uses a dual-layer architecture that applies AI to analyze instructions sent from a host PC to a medical device's physical components, thus allowing the detection of different types of anomalous instructions. The National Institute of Standards and Technology (NIST), together with the National Cybersecurity Center of Excellence (NCCoE), worked with industry vendors and integrators to develop a set of standards that Healthcare Delivery Organizations (HDOs) should follow to strengthen the security of connected medical devices. The FDA also has a guide for managing cybersecurity in medical devices, called the Postmarket Management of Cybersecurity in Medical Devices, which urges manufacturers to monitor, identify, and remediate cybersecurity vulnerabilities, as well as address exploits in their management of medical devices. Further research and guidance towards the improvement of medical device security are encouraged.

Healthcare providers, device manufacturers, and the security community must continue to be informed about the vulnerability of medical devices and other risks to healthcare, such as ransomware, to develop or improve security strategies or mechanisms.