Slashdot Mirror
It's Way Too Easy To Hack the Hospital (bloomberg.com)
schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?
the vendors don't let them do the windows / os updates on the devices.
That's because the vendors are concerned the updates could break the device. Which is a valid concern as there have been many OS updates that have broke stuff over the years. Pretty much ever OS has had this issue at one time or another, not just Windows.
Medical equipment vendors definitely need to address this.
However, that being said, anyone that hacks medical devices should be taken out and shot. This would be a good cause for reviving capital punishment in those jurisdictions that have retired it.
don't forget blackmail revenge etc... ask ed snowden the value of your md chart here on /. ? for marketing health scare hypenosys,,, not much you say but it could add up to both physical & spiritual paralysis deepending on which side of the stretcher we fall under?
These devices are not generally in some server room with limited physical access.
The M&M security model sucks, sure it can mitigate things till patches can get applied but it's not a long term solution.
No sir I dont like it.
I'm wondering how feasible it is to have separate devices handle the security.
It should be more feasible than having every device be secure? any programmer from any supplier in the entire hospital can now break the security, and everything is down the drain...
seeing how cheap small computers are now, how hard would it be to put a small secure module before each machine securing everything? I think that would be a far more feasible approach in getting a hospital secure!
So they're so completely and utterly insecure we can't even tell you how badly insecure most of it is or what we could do with it.
That should be setting off big huge alarm bells for a lot of people, but nobody ever does anything until it's too late.
Lost at C:>. Found at C.
Imagine a broad attack where people in hospitals start dieing from the equipment. Add in attacks on other infrastructure and you'll have 9/11 times a thousand.
The medical devices can't be patched without software validation taking place on the device, which means the patches are installed and the V&V teams need to test and verify that the patching does not affect the output of results for these instruments. This happens where I used to work, but not as often as it should, due to $$$. Often times because of this, there are ways to limit physical access, firewall / vlan the device and allowing only the service that is required to perform the function. Of course when that service becomes vulnerable, all bets are off.
Large concerning point and I can agree with the poster is that most hospitals have security plans and they do vendor assessments, but the vendors are allowed to (Through convincing arguments and due to financial reasons) have their vulnerable equipment on the hospital network in a segmented fashion. I have of course visited a few places where they have a /16 and that is just scary!!
In my experience, the hospital networks are also extremely vulnerable. IT at hospitals is focused on making sure interactions with insurance go smoothly, the doctors are happy and the next remodel. They have added guest networks to appease their clientele without one thought to security. The result being you can see anything from anywhere, so not only are hospitals full of vulnerable equipment, they are full of vulnerable easily accessed equipment.
In the 90's, I worked for a hospital that shall remain nameless. Their billing system had a root password of "Superman", and the vendor (on whom they leaned for everything) wouldn't let them change it. They also assumed phone lines were secure (which is a joke.)
I'd imagine things are better now, but there was really a total lack of security awareness at that time.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
I doubt that the goodwill of strangers has been enough to keep people from hacking these devices, and I doubt that those lacking that goodwill haven't yet thought to hack hospitals, especially if someone of note was known to stay at a hospital for whatever reason. Probably the only reason nobody has heard of anything really bad happening as a result of hacking is that actual patient interaction (for drug administration, monitoring, etc.) still requires physical presence of medical staff. Once that changes, though -- for example, once doctors can review status and order changes via their smartphones without relying on intermediate nurses and such -- shit will hit the fan pretty quickly. When that happens, I wonder who will be left holding the bag. The hospital? Device maker? Doctor? Patient?
We will never be the change to the weather and the sea
The chattering classes were all "ooohhh portable electronic records" and this and that about the transformative impact of technology without any appreciation for the absolute, non-negotiable need for a security first posture. Of all private sector systems, hospitals are the closest (with a few other industries like utilities) to the use case for a classified government network on security.
This won't be fixed until the federal government and states get together and task the DNI with drafting guidelines derived from how they regulate Top Secret networks to be used by the medical industry. If left to the industry or DHHS, this won't get done until some hospital gets hacked and dozens of patients are murdered by some piece of shit in China, Russia or the Middle East.
I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.
What security people constantly miss is that our society is kind of founded on the goodwill of the stranger. That's also why there's little physical security at hospitals. Sure there are mentally sick people out there but it takes somebody especially incredibly sick and twisted to turn off somebody's pacemaker just for the hell of it.
I'm all for security, and there are some evil people out there, but really there are reasons why hospitals are often the least secured places anywhere you go
It's not just that, it's also that vendors assume that hospitals have competent IT departments and devices will be appropriately firewalled away from the rest of the network.
Vendors of these products know damn well that hospitals routinely lack competent IT departments and they know (or should know) that they will be improperly secured if they are secured at all.
Why are we holding up these devices up to some insane standards that were never a consideration until "IoT" became the buzz word of the year?
Do you know how many mission critical infrastructure systems are running completely unencrypted, non-obfuscated, clear text RS485/232? Wireless backhauls with next to zero security because who would have the kit to interface with it so why bother locking it down? (20 dollar SDR? What's an SDR?). Your local ISPs reckless abandon of cabling from the drop on the corner to your CPE.
But please lets all stop the presses and talk about how unbelievable it is that I can reset a pace maker with just a smart phone. (instead of a microwave oven which always worked.) Do I care if the particle accelerator is on the hospitals intranet with admin:admin? Only as much as I care about a random person throwing a road flare at a gas station as they drive by. Only as much as I care about someone with a bic pen or bump-key getting in the subdivisions phone exchange to listen to phone calls/reroute calls/disable service entirely and start a door to door rape party.
Is it a serious security concern that every major auto manufacturer was shipping vehicles with all the same, standard bolts and fasteners? ANYONE with a toolbox could alter your car or disable your breaks!
And yet I'm not actually worried about going to the hospital and getting irradiated to death from a hacked x-ray machine. What incentive would someone have to make the effort and take the risk to hack these machines? The actual likely fallout from such a thing might be some invalid test results, and maybe even one or two direct deaths from an exploding MRI. The best scenario I can think of would be a foreign nation just wanting to do general economic damage to a country, but targeting a hospital would put them in violation of so many international treaties that they would be far more likely to damage their own economies after being sanctioned. Frankly I'd be far more worried about US gunships killing me at the hospital than hacked devices.
No some vendors say there system can't be walled off and we need remote access to them / they must be able to send data to our systems. Have you read the list of ports that are doc's say must be open to us?
Most medical devices should either be stand-alone or in a "closed network" such as a network that only includes patent-care devices in a single building and doctor-and nurse-accessible workstations around the building, but without any connection to any network or device that touches any outside network.
Exceptions like operating rooms used for tele-medicine/remote-operated-robo-surgery/etc. can be handled as special cases.
If you want to hack them, you'll need to use "out of band/side-channel" techniques like compromising the employees who have access to them or listening in on (and interpreting) the nearly-inevitable RF signals that the equipment puts on nearby wires or on the air, watching for vibrations on windows or pointing a camera to the room windows to see or "hear" the alarms or status lights as they go off, etc. Except for the "compromising the employees" bit or gaining physical access yourself, it's very hard to force a non-networked device to do your bidding except in a very rough way, such as by cutting of the power supply or triggering some condition that puts the device in a fail-safe mode.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Unless lawyers get involved.
Why would lawyers get involved? Oh right, because you're talking about straight up murdering people.
I worked in hospital IT for over a decade. Your speculation is entirely wrong.
Good idea. Nobody does that.
It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
- Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
- Simple passwords that can't easily be changed
- Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)
Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.
I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.
Right, that would require re-validation, which is time consuming and expensive.
If you're interested in helping with problems like this one, check out this group: https://www.iamthecavalry.org/
They are attempting to make changes in critical infrastructure/industries (think medicial, automotive, etc) which have not had the 'benefit' of learning the lessons yet that we have learned in the web-based IT world over the last 20 years. Let's face it, we can't afford to have a slammer type incident that involves cars or hospitals to open the local Microsoft-equivalent vendor's eyes and have them find religion around security. Some people literally can't survive that.
It's not glamorous, but it's important work.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
If you go through some effort to hack something, you are doing it for some reason.
1- You might be doing it for the lulz, in which case, you probably are taking some pains to not totally screw your victim. If you look at actual full fledged computer viruses from an era when the vector (floppy disk) and targets (DOS box) were pretty reliably similar, you'll see the majority of the viruses just screwed with you. They'd invert some text. One replaced every "Microsoft" string on your machine with "Machosoft". While there were ruinous ones, they weren't ludicrously common, and that brings us to...
2- You might be doing it to "teach them a lesson". Some people do think like this, and their goal is not entirely malicious, their sadism masked by some sense of superiority and purpose.
3- You could want to further an agenda- in the modern day, a group like Anonymous will seek out targets that they feel further their message, and, by their standards, improve the world- hacktivism.
4- You might just be doing it to learn more about it- for instance, you might want to gain access to a remote machine just to see what it looks like. This is extremely common.
5- You could gain financially.
6- Finally, you could want to just hurt people maliciously.
If you are (1), (2) or (4) you don't want to mess with medical machines because a screw up might hurt or kill someone, while you don't have anywhere near the sympathy for crashing a server or desktop. The server crash occupies IT for a few hours, the desktop crash has damage limited to one person, who may be occupied for several hours or have lost something of value (if no backups).
If you are in (3), you don't further an agenda by fucking with sick people.
If you are in (5), you don't gain anything that couldn't be obtained safer elsewhere.
This leaves (6)- purely malicious motivation- and it is frankly not common in people, and generally even rarer in hackers. There's generally much easier ways to hurt people, after all, and people wired this wrong are just so scarce.
And that's how we end up with a world where medical devices are stupendously insecure- black hat hackers don't fuck with hospitals, so the hospitals, like almost every other business, don't see a problem worth paying to fix.
It's definitely good that this event is calling attention to the fact. It gets reported on pages like slashdot reasonably often, but it doesn't seem to have really gotten to the mainstream yet as something that should be fixed.
People under 30 think they are invincible; why would they ever need to go to the hospital?
In truth, the only barriers are a few systems that have double-custody protection, and that is piss-poor protection when both systems go back to the same TER. Implanted devices scare the living shit out of me though; no fail-safe, no double-custody, etc.
So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.
There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Sure there's an analog kill switch, etc.
But if you read the reports of a lethal bug in the Therac 25, patients were in the treatment room being literally burned to death, yelling that they were in pain, but the operator didn't shut the machine down. Why? Because the intercom was broken.
Everyone is so focused on BlackBerry's supposed death spiral due to their loss of market share in the mobile phone arena they forget that BlackBerry isn't a phone company. BlackBerry is a secure mobile communications company. To that end they supply the most stable and secure OS in the medical industry (QNX) and are working with NantHealth to supply an end-2-end secure medical communications system. My first real job in electronics was working for a pacemaker OEM. The device we used to program pacemakers back then was literally a wound coil sending unsecured pulse waves to the device. It's why patients couldn't get near microwaves because a stray pulse from the microwave could wipe the entire program on a pacemaker. NantHealth's system is both robust and secure from the hospital to the medicine cabinet at home.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.
There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.
In some respects I agree with you. In a perfect world all the devices would be re-certified with every patch as soon as the patch is available, updated promptly, and all the latest security safeguards in place. They would be re-certified and verified to meet all the latest security requirements, safety requirements, and efficacy requirements.
However, these are not home computers.
These are medical devices that must meet strict certification requirements that they do exactly what they say they do.
Any time the device changes or the software is updated, it must be re-certified. Getting a full PMA (Pre-Market Approval) certification is both expensive and time consuming, the current fee is $261,388. The wait is normally anywhere from 3 to 6 months for certification. If the product fails for any reason, it means fixing it and paying re-submission fees.
When "install the latest Windows update" comes with a $261,388 fee to re-certify, any business is going to reject that idea unless they are required to do it.
//TODO: Think of witty sig statement
That isn't necessarily a reason not to do it.
Never underestimate the power of stupid people in large groups.
That's because the vendors are concerned the updates could break the device
No they aren't. They don't do updates because they get no money for the updates. If there was money to be made in maintaining these devices then you can be sure they would do it. Additionally if they make changes to certain devices they have to get them recertified which is a huge and expensive proposition.
Just follow the dollars and it all makes sense.
It's worse than that. Even the machines in doctors offices are vulnerable, because they are only supposed to install HIPA approved software, and so, e.g., they run the (presumably) most recently approved version of MSWindows. Connected to the internet.
Basically there's no awareness of even a potential threat.
OTOH, they don't browse random web sites. They may not have Flash installed. (I didn't ask to check just what they had installed, it was just blatantly MSWindows...I don't even know which version.) So they probably avoid attack by lurkers.
I suppose the first estimate of vulnerability would be "How many doctors offices were running botnet software?", but I don't know how frequent it is. A simple Google search shows that it happens.
I think we've pushed this "anyone can grow up to be president" thing too far.
Caveat, Most everything said above is true, but... I work in hospital IT, we don't go near anything like these devices. They are FDA approved - If a WD HDD goes out in a device I can't even replace it with the same model from CDW, the replacement has to come from the vendor with an FDA sticker on it. The "Sticker Price" is usually about $500... We have a BioMed department that handles all that and I work with them often. Very few devices are network connected, most all are stand-alone. Most all devices that are connected to the network are "send only," they push reports to a server. They have a very specific and limited interface to change settings and you have to be touching it to get into it. BioMed does things like adjust/calibrate but on most devices that is only available via direct serial connection... I am sure security needs significant changes but you really need physical access to most everything.