TENERFIE, Spain – Sergey Lozhkin knows malware. Medical devices? Admittedly, not so much.
That, however, was not an impediment to the Kaspersky Lab researcher in cracking the digital walls of a Moscow hospital and finding a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients, but also their physical well-being.
Today at the Kaspersky Lab Security Analyst Summit, Lozhkin told a real-world tale of how relatively easy it is for a hacker to get onto a hospital network using available tools and having very little background in medical device security.
“I have no information on medical equipment; I don’t know how it works,” he said. “I started the research just to learn something. It’s really scary. When we develop technology in software systems, engineers forget about IT security. It’s a problem not just with medical equipment, but in a lot of areas of the industry.”
In the U.S., more attention is being paid to medical device security than ever. Couple that with privacy concerns that are regulated by HIPAA, and health care security is a hot-button issue. The same cannot be said for Russia, Lozhkin said, despite the same threats and weaknesses.
Attacks against medical devices expose not only reams of patient data, including diagnoses and medicinal treatments, but access to MRI devices and management applications could lead to catastrophic results if they are reconfigured by an attacker wishing to do physical harm.
Lozhkin said a major problem is that some of these devices not only suffer from traditional software vulnerabilities, but many are connected to the Internet and reachable via remote interfaces used by physicians during treatment.
Lozhkin said he found thousands of hospital devices online using a Shodan search, including radiology apps, MRI devices and of course, webservers. One search result turned up a Moscow hospital run by a friend of Lozhkin’s; among the the results was a Siemens log-in portal for a CT scan machine guarded only by a default password. Lozhkin told his friend at the hospital about the situation, who agreed to an informal pen-test. Lozhkin wanted to attack the hospital the way a black hat would—without of course accessing patient data or manipulating devices—and he started by sitting outside the location and cracking the facility’s Wi-Fi. He said he was able to brute-force the Wi-Fi credentials, which he said were “configured badly with an easy password” Once on the network, additional weak security was evident immediately, starting with an XP machine still vulnerable to MS-08-067.
“You can say I just hacked [lousy] Wi-Fi, so what?” Lozhkin said. “The guys who are creating software for medical devices should think about someone configuring [lousy] Wi-Fi access to the local network.”
Once on the network, using available pen-testing tools, Lozhkin was able to find a control panel for a MRI machine that was not password protected, There was also access to a C Shell in the application.
“You could do anything you wanted; add files, get a full list of patients, information on diagnoses, all on this device,” Lozhkin said.
In January, the U.S. Food and Drug Administration issued cybersecurity guidelines for medical device manufacturers, with recommendations including the adoption of risk management programs and calls for provisions to be made accept and triage vulnerability disclosure.
The relative maturity of software security in health care is relatively low, but there encouraging signs. Data from the most recent iteration of the BSIMM model shows some signs of improvement, but health care does lag behind more bleeding edge industries such as financial services. Gary McGraw, founder of Cigital and one of the innovators behind BSIMM, said that a number security executives from financial services are moving over to large health care organizations, another indication of the prioritization of security in healthcare.