From Trojan.Kwampirs to KRACK, the last year has seen no shortage of reminders that medical devices are subject to attack. On April 23, software provider Symantec reported that it had analyzed Kwampirs backdoor hacks from cybercriminal group Orangeworm: 39 percent were on healthcare equipment like x-ray machines, MRIs, and systems used to complete patient consent forms. KRACK, on the other hand, didn’t attack devices. Rather, it compromised Wi-Fi Protected Access II (WPA2) — the connection between devices.
“Prior to network connectivity, these devices were protected by physical security. Only authorized medical personnel were allowed in the room with the patient. If changes to the infusion pump operations were made, they were made by pressing buttons on the device,” says Michael Nowatkowski, information security professor at the Augusta University Cyber Institute. Now everything’s connected, leaving hospitals and healthcare systems scrambling. Research provider KPMG says 41 percent are turning to improved governance and policies while 33 percent outsource device security to third parties.
For those who do manage medical device security internally, experts offer this advice:
1. Get better at protecting everything
If you believe what you see on television, the goal of a medical device attack is to hurt the patient. Both “Sherlock” and “Homeland,” for example, show people being murdered by their pacemakers. KPMG cyber practice partner Michael Ebert says that’s not how these attacks work in real life: “Cyberattacks today have the potential to harm patients, but most of the attacks against medical device makers are aimed at stealing their technology so devices can be copied or product development dead ends can be avoided.”
In other words, device hackers want the same thing most hackers want: information. According to Nowatkowski, hackers may not even realize they’re in a device when they try to get it: “Many of these systems run operating systems similar to a normal computer, so the attacker may think they are just exploring a computer rather than a medical device.”
Limit damage from this particular brand of hacker by improving security overall. Implement the same best practices for medical devices that you would for traditional computers. For example, Ali Youssef, principal mobile architect at Henry Ford Health System in Detroit, says, “Ensure that data is encrypted,” explaining that device software should “support EAP TLS authentication and WPA2 encryption as a baseline.” Eric DiPietro, application consultant with security integration company Optiv, says to monitor for vulnerabilities and if you see one, patch it: “Develop and follow a mature patching plan to keep systems and devices up-to-date.”
2. Isolate at-risk patients
In those rare instances when hackers are after patients, they usually want their personally identifiable information (PII). Sometimes they’re after as much PII as they can get, no matter who the patients are. In other instances, they’re looking for data on a specific person. Nowatkowski says, “High-profile individuals may be at greater risk than the general public,” particularly politicians, business leaders, and “celebrities or wealthy individuals that could be ransomed.”
To get to one person, hackers usually have to attack multiple machines: “A hacker may not be completely aware of which device they happen to exploit,” Nowatkowski says. “The attacker may not know exactly which device their target is attached to.” In other words, cybercriminals might know a celebrity’s in room 914, but be unable to tell which IV or heart monitor is in that room. So, they target the entire floor. Isolating famous patients won’t make their information safer, but it will narrow the scope of any attack, limiting possible PII breaches to fewer people.
3. Protect data by not collecting it
DiPietro recommends hospitals stop collecting patient social security numbers (SSN) and other PII. “Better protect patient data by removing sensitive data — for example, replacing a patient's SSN with a non-sensitive identifier,” he says.
Social security numbers haven’t been required for insurance reimbursement since before 2014, so why does your hospital still ask for them? What other personal information does your facility collect that you don’t really need? Hackers can’t steal data you don’t have — through a medical device or any other means.
Unfortunately, this tip may be a hard pill for the business side to swallow: It requires change. As ABC News reports, many hospitals ask for social security numbers simply because there’s a line for them on forms. Pulling that line off takes buy-in from multiple departments.
Management doesn’t always speak security, but they do speak HIPAA, so improve your chances by showing how minimizing data collection helps regulatory as well. DiPietro says, “Medical staff sometimes ask [for PII] in public settings, such as waiting rooms” where anyone can overhear, and that’s a HIPAA violation. Limiting the info requested solves a problem for you and them — and it gets patients triaged more quickly.
4. Teach everyone about security
The nurse who checks an IV machine doesn’t have to be a cybersecurity expert, but she does have to know hacks happen. This isn’t just so she can call IT when equipment acts up. It’s also so she doesn’t accidentally help the hackers. “If someone wanted to attack an x-ray machine,” DiPietro explains, “they likely wouldn’t start with going after the operating system or trying to hack into the network. They would likely start with researching the machines, how often they should be updated, who is using them, and who is in charge or has oversight. They may start by calling the hospital, posing as a representative from the x-ray machine company and trying to find out who is in charge of that machine,” which is where that nurse comes in. “The hospital may inadvertently give the attacker a name and the attacker can often guess an email via social engineering,” he continues. “Once the attacker has that, they don’t have to really ‘hack’ the network. They can just use approved credentials.”
According to KPMG’s survey, 38 percent of respondents train all senior leadership on infosec while 34 percent run cyber-response drills for specific staff. But IT and management are where the study says most training stops, leaving all other employees vulnerable to phishing calls.
5. Invest in deception tech
Carolyn Crandall, chief deception officer for security company Attivo Networks, says, “Healthcare IT teams need tools in their arsenal that not only defend the network perimeter but also help them detect and respond to in-network threats quickly, efficiently, and effectively.” These tools, of course, include a technology Attivo sells: deception software.
Don’t be so quick to dismiss Crandall’s advice just because she’s a vendor. “Deception is an emerging security control driven by the need to reduce attacker dwell time,” she explains, adding that the average U.S. hack remains undetected for 100 days. Some hospitals use next-gen firewalls for protection, she continues, “but these [are] centered on signature or database look-up” and don’t protect against credential harvesting. As DiPietro pointed out, once hackers have the right credentials, they can waltz right through.
Deception tech, Crandall explains, creates an “endpoint where deceptive credentials and bait are strategically placed to entice an attacker into harvesting them.” This, she says, sets up a trap for security teams to catch medical device hacks before they happen.