Report: Evidence of Healthcare Breaches Lurks On Infected Medical Devices

chicksdaddy writes: Evidence that serious and widespread breaches of hospital- and healthcare networks is likely to be hiding on compromised and infect medical devices in clinical settings, including medical imaging machines, blood gas analyzers and more, according to a report by the firm TrapX. In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements. According to the report, medical devices – in particular so-called picture archive and communications systems (PACS) radiologic imaging systems – are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets.

Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.

Meanwhile, HIPAA fines will skyrocket

[Tony+Isaac]

HIPAA imposes fines for each patient's record lost through security breaches, even if the medical provider "did not know (and by exercising reasonable diligence would not have known)" https://kb.iu.edu/d/ayzf that there was a breach. These kinds of punitive rules have scared the entire industry to death, and yet the open secret is that nobody is safe from breaches, or these fines. This story illustrates how the law has done little, if anything, to actually protect privacy.

Most providers react to HIPAA in one of two ways:
1) They over-react, creating stupid policies like refusing to tell even a patient's own spouse the details of a patient's medical condition, unless the proper paperwork has been filed, or
2) They under-react, blissfully ignoring any privacy concerns.

If we're going to try to regulate privacy in the medical industry, how about let's focus on the device and software makers with certification programs, and let hospitals and physicians get back to doing what they do best: treating illnesses.

Re:Not Just That Machine

If I'm understanding the story right, it didn't. The medical image server got infected somehow but didn't have outbound network access. From that server, they then infected a work station, that DID have outside network access. From there, they sent data to China.

The root issue is ultimately government regulations, which prevent these devices from being patched. You can't simply patch a medical device because then it loses its FDA certification. And it's only going to get worse, since part of Obamacare is requiring everything to be stored digitally. We're moving from good ol' paper records (that anyone can read) to a digital mess that requires special proprietary software to read and can't be patched without months of government red tape.

Of course, the people stealing medical records don't have to carry about the insane licensing fees necessary to get software that can read the records they steal - they just steal the software, too.

FDA Certification Part of the Problem

[eth1]

The reason a lot of these devices use outdated OSes is that it has to be FDA approved. I used to work on some hospital networks, and not only were some of these systems running out-dated operating systems, they couldn't have any security updates applied without losing their FDA approval. We kept these systems locked in solitary confinement behind firewalls (with no Internet access), but you still have to be able to get to them over the network to actually use them (and worse, occasionally by remote radiologists coming in over a VPN from who knows where).

Re:Not Just That Machine

[TheCarp]

> The root issue is ultimately government regulations, which prevent these devices from being patched.
> You can't simply patch a medical device because then it loses its FDA certification.

No. The issues are far deeper than that and have ALOT to do with the overall fragmentation of the entire medical industry and the culture of vulchers that fly around the clinical medical industry looking for ways to get their feet in the door to steady profits.

Here is what i saw from spending too long on thos front lines:

They are all trying to build an embeded solution they can charge for support on, they will generally work directly with the clinics, bypassing central IT as much as possible, and bring them in only at the end, and try to position them as the road blocks on the project because.... they want to keep all the support to themselves.

Then when IT patches all their systems and sees "hey this is an out of date linux box" the vendors sit on their thumbs and cry about FDA certification, as if the responsible thing to do wasn't to immediately contact the FDA about re-certifying. Oh no but that would cut into their profits!

Hell if they really cared, they would fix it, and tell the FDA that if they even try to levy a fine, they are going public with exactly what level of risk and vulnerabilities the FDA is effectively forcing people to accept. Who do you think would look bad after that exchange? "We fixed this problem to protect our patients in spite of the FDA trying to make us not" you think that isn't the kind of issue that would get an FDA head called before congress?

It is, but it never happens, because the profiteering industry likes the regulations the way they are because they don't like having to patch, its a bother.