LAS VEGAS – The healthcare space continues to face threats when it comes to cybersecurity – and researchers are concerned that security threats are evolving from impacting patient data privacy to actually threatening patient safety.
A lax culture around cybersecurity from medical device manufacturers and healthcare professionals (and a lack of education around good security measures) is putting hospitals – and subsequently their patients – at risk, said researchers, speaking at Black Hat 2018.
“Whether [healthcare professionals] like it or not, code, networks and devices are now caring for patients every single day and it is so important to remember that securing them, we think, will save lives,” said Christian Dameff, M.D. at the University of California at San Diego School of Medicine and security researcher..
In the modern healthcare landscape, hospitals and healthcare systems face an array of different types of threats impacting patient data – and, on the other end of the spectrum, patient safety.
For one, healthcare security privacy debacles seem to occur almost daily at this point, undermining what the Health Insurance Portability and Accountability Act (HIPAA) seeks to prevent. Last month, four healthcare IT companies warned that ProCare Health has been storing hundreds of thousands of patient records containing personally identifiable information (PII) – without the knowledge or consent of the data subjects.
In April, a slew of devices from medical technology company Becton, Dickinson and Co. (BD) were found to be vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records.
There are several root causes behind these attacks, including the use of legacy equipment (including Windows XP), connected and insecure medical devices, and an overall lack of education around security. But researchers warn that these issues need to be resolved soon as attacks in the medical field grow more sophisticated and targeted.
Already in the first three months of 2018, there have been 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than 1 million patients and health plans.
Beyond privacy, another threat revolves around “availability attacks,” which are cyber-threats that impact patients’ physical access to care.
The most notorious example of these types of threats involve the WannaCry attacks of 2017. The now-infamous ransomware, which broke out in May 2017, spread to more than 300,000 computers in 150 countries – hitting hospitals and the National Health Service in the UK particularly hard. These attacks not only brought down computer systems, but paralyzed hospitals’ ability to keep customers’ appointments, preventing patients’ access to care.
Patient Safety in the Sights
Beyond these known dangers, an emerging threat comes in the form of data integrity attacks. Bad actors are potentially able to changes data flowing from various points – so that doctors may be looking at and acting on false patient information.
At Black Hat today, a group of experts specializing in both healthcare and security from UC-San Diego and UC-Davis outlined how to exploit vulnerabilities in the Health Level 7 (HL7) standard – the protocol which acts as a common language in hospitals to transmits order or lab results – to change lab results coming from blood gas machines and urinalysis machines.
The problems run the gamut: HL7 lacks encryption at the standard level, lacks verification of message sources and contains no authentication for message transmission. Ultimately, the conference speakers, Jeff Tully, Christain Dameff, and Maxwell Bland, were able to launch a classic man-in-the-middle (MITM) attack between lab information systems and the HL7 interface engine to modify lab results.
One example of a modified lab result that could actually harm a patient would be tweaking the blood analysis to look like a patient has diabetic ketoacidosis (DKA) – thus potentially causing a doctor to inject the patient with insulin, which could be highly dangerous and even cause death to a patient that doesn’t need it.
“[These attacks] alter how physicians act with patients because they trust technology implicitly,” said Tully.
Given the risks that the medical field faces in terms of device and system security, researchers in the infosec community, for their part, have expressed frustrations with how several parties in the healthcare market have reacted to these flaws.
No one knows that better than Billy Rios, of WhiteScope, and Jonathan Butts, of QED Secure Solutions, who in 2017 reported an array of vulnerabilities in medical devices (including pacemaker programmers and insulin pumps) that contain potentially life-threatening dangers if accessed by bad actors.
The pacemaker programmers (Carelink 2090) and insulin pumps (models like the MiniMed 508) were made by manufacturer Medtronic, and Rios and Butts were able to hack into them in order to stop or cause a pacemaker to give patients a shock; they were able to also block insulin pumps from giving patients the insulin they may need.
A proof-of-concept exploit attack was released by researchers in March 2018 — after which the manufacturer issued advisories for the flaws on August 7. That’s more than 570 days after they were first reported.
“It’s disappointing to know these have been out there for a long time,” said Rios. “For the last two years, we’ve been increasingly frustrated with how our research was dealt with.”
Despite these frustrations and risks around security in the healthcare space, Butts, for his part, said that the Food and Drug Administration (FDA) are taking steps in the right direction by creating a “Medical Device Safety Action Plan,” which he said “will be a big step forward.”
According to the FDA, this plan outlines how to establish a medical device patient safety net in the U.S., explores regulations for security in the medical field and aims to advance medical device cybersecurity.
For researchers like Rios and Butts, the document will mainly act as a third-party mediator to work with both researchers and device vendors who may be butting heads over mitigating security risks.
Beyond the medical device vendors, the shift in culture to prioritize medical device security also needs to come from hospitals themselves – where ultimately doctors are the ones choosing and using the gear, researchers said.
To that end, hospitals can take multiple steps to highlight better security measures, including securing network deployments and enabling proper configuration, so that updated systems are used where possible. And, said Dameff, hospitals need to make sure they use security-conscious protocols and ecosystems.
However, most importantly, medical professionals must be educated and trained on good security practices, in order to better understand just why security is so critical when it comes to patient safety.
“We need to get doctors to care about security; security teams in hospitals are frustrated, but when you show them what could happen using language they can understand, and show that the risks impact patient safety [and not just] data safety, that could help them begin to care more,” said Dameff.