It's Way Too Easy To Hack the Hospital

schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.

Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."

Re:how does anyone make money off this?

[amalcolm]

When I'm lying on an oncology machine about to be zapped with high-power microwaves I'd prefer not to have to worry about some wanker changing the dose (up OR down) just for kicks.

Re:the vendors don't let them do the updates on th

[naris]

That's because the vendors are concerned the updates could break the device. Which is a valid concern as there have been many OS updates that have broke stuff over the years. Pretty much ever OS has had this issue at one time or another, not just Windows.

Re:how does anyone make money off this?

[rmdingler]

all the big hacks have been around money.

You can bet money will be the impetus for industry reform in this, as well.

The operative difference is it will be to stem the outflow of it from lawsuits and increased insurance premiums.

I'll be waiting for the first hack/murder to show up on Investigative Discovery... the victim won't even need to have life insurance as incentive for the perpetrator-spouse's big payday.

Re:how does anyone make money off this?

[clovis]

all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?

It's a way to get medical records.
Once you have a medical record, then you can bill medicare and insurance companies for tens of thousands of dollars through your phony company.
You need the medical record not only for the patient name, address, SS #, but also because the fraudulent billings need to be consistent with existing medical conditions.

Credit card theft is petty cash compared to the hundreds of millions of dollars fraudulent medical billing brings in.

Not surprising at all

[sjbe]

I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.

Re:This is not surprising

[gstoddart]

However, that being said, anyone that hacks medical devices should be taken out and shot

Which is your naive way of saying you don't think there are bad people in the world, and that you don't believe people do malicious things just for the hell of it. I have no such faith in humanity. In fact, I take it as a certainty it will happen.

So, let's ratchet this up a little.

Say, for instance, that the president of country A is known to have a heart problem. Now, say that country B has been the sworn enemy of country A ever since that crushing loss at the Quidditch World Cup in the 1800s.

Now, say that the president of country A is going in for heart surgery in a few months.

Do you really think a determined nation state might not decide that this is a great way to do an assassination? Before you say "of course not, that's silly", I remind you that Stuxnet existed to target and ruin very specific things, which means nation states already do this.

Now, take this to the level of really scary ... imagine bored script kiddies can access and muck with medical devices at will just for the lulz.

Because, really, I don't see any reason why these scenarios can't, won't, or haven't already happened.

And while it's been a fairly open secret that medical devices have terrible security for years, now it's been fairly well confirmed publicly that medical devices have utterly terrible security. Which means I think the likelihood of this has moved from "plausible" to "start planning for it".

This should be a wakeup call. It's bad enough every piece of consumer electronics and the entire IoT apparently have crap security, if any at all. But having pretty much every medical device be almost without any form of security is scary.

Re: This is not surprising

[Rei]

It continually amazes me how much so many people don't care about security, or design it in as an afterthought. I've worked on the Linux client for a MMORPG, and their entire security model was built around "TCP will protect us". No actual attempt to verify that packets coming from a client or the server were actually from who they said they were. No attempt to make sure that any fields within them were valid. And no care to actually fix the problem out of fear of "breaking things". I once had to write a zero-day exploit for a particularly egregious bug (based on popen injection) that would allow any ordinary player with a non-hacked client to execute arbitrary other code on other players machines, before they'd let me implement the very simple fix.

For many people, security is "that thing that doesn't matter unless someone is actively abusing it, and then only fix the particular thing that's being actively abused".

Even protocols which practically summon abuse down on them are often designed without any sort of security in mind. I was reading a while back about MainlineDHT, the distributed hash table networking system that enables trackerless torrents in bittorrent. You know, if there's anything out there that you'd expect parties with resources to want to hack (to monitor for copyright abusers, to disrupt the network, to return compromised information, etc) it'd be something like that, they'd be naive to think otherwise. But the protocol is so pathetically weak it practically screams, "Please, Sybil attack us, it'll only take 10 minutes for you to implement the attack!" You can turn a standard MainlineDHT implementation into a Sybil-attacking information simply by changing it to respond to all requests by claiming that you are the host that the client was requesting instead of directing them toward the requested client. The program doesn't even have to remember all the lies it told to other clients, they're trusted instantly and completely, and in fact, the clients that they lied to forward the lies to others. A program that wants to pretend to be a million nodes incurs no additional performance, hardware, or networking requirements over a normal client with just one identity, beyond the data flood that they're trying to receive or manipulate.

Sybils can be hard to entirely prevent, particularly if you want to support clients behind NAT and you don't want to involve any external "trusted" identity-verifying system. But for crying out loud you don't have to make it so easy for them, on a target that you just know people are going to want to attack.

Re:how does anyone make money off this?

[Lab+Rat+Jason]

The Ashley Madison hacks weren't about money... it was about righteous indignation. There is every reason to believe that when a high profile person with a "differing" point of view needs to go into the hospital for something, that this very thing could happen. Plus I'm sure there is some hacker out there who believes there is street cred to be had by being the first person to commit a murder *directly* through the internet.

Happens in all vertical market applications

[ErichTheRed]

It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
- Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
- Simple passwords that can't easily be changed
- Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)

Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.

I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.

Re:Happens in all vertical market applications

[eth1]

It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network?

Putting systems that could cause death or widespread mayhem on isolated networks is a good idea regardless of the security of the applications. It's one more layer an attacker has to bypass.

The problem is that doing so has become an excuse to NOT secure the applications.

Re:how does anyone make money off this?

[ageoffri]

I support a health care company and the hacks are often about money. Gain access to an unsecured medical device, then pivot to other internal systems with the goal to get into the billing records. Exfiltrate patient data, especially the records of minors. A minor's SSN is very valuable, because how many parents check the credit report of their kids? So a bad guy could have years to nearly 2 decades of access to a SSN that isn't monitored.