It's Way Too Easy To Hack the Hospital

schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.

Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."

Re:how does anyone make money off this?

[clovis]

all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?

It's a way to get medical records.
Once you have a medical record, then you can bill medicare and insurance companies for tens of thousands of dollars through your phony company.
You need the medical record not only for the patient name, address, SS #, but also because the fraudulent billings need to be consistent with existing medical conditions.

Credit card theft is petty cash compared to the hundreds of millions of dollars fraudulent medical billing brings in.

Not surprising at all

[sjbe]

I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.

Happens in all vertical market applications

[ErichTheRed]

It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
- Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
- Simple passwords that can't easily be changed
- Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)

Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.

I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.

Re:how does anyone make money off this?

[ageoffri]

I support a health care company and the hacks are often about money. Gain access to an unsecured medical device, then pivot to other internal systems with the goal to get into the billing records. Exfiltrate patient data, especially the records of minors. A minor's SSN is very valuable, because how many parents check the credit report of their kids? So a bad guy could have years to nearly 2 decades of access to a SSN that isn't monitored.