It's Way Too Easy To Hack the Hospital (bloomberg.com) 116
schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
how does anyone make money off this? (Score:3)
Re:how does anyone make money off this? (Score:4, Insightful)
Re: (Score:1)
Good, than you have little worry that this will or can happen. The article suggests that hacking machines to cause harm is trivial. I happen to know a thing or 3 about 'oncology machines' (Radiation Therapy accelerators)...it is not that trivial to get them to do something they shouldn't be doing. Can it be done? Sure if you own the entire stream of communication you might be able to do it, but even then you have to have significant skills & in depth knowledge of the communication protocol of the machin
Therac 25 (Score:1)
Sure there's an analog kill switch, etc.
But if you read the reports of a lethal bug in the Therac 25, patients were in the treatment room being literally burned to death, yelling that they were in pain, but the operator didn't shut the machine down. Why? Because the intercom was broken.
filched medical records is bad news (Score:1)
don't forget blackmail revenge etc... ask ed snowden the value of your md chart here on /. ? for marketing health scare hypenosys,,, not much you say but it could add up to both physical & spiritual paralysis deepending on which side of the stretcher we fall under?
Re:how does anyone make money off this? (Score:4, Insightful)
all the big hacks have been around money.
You can bet money will be the impetus for industry reform in this, as well.
The operative difference is it will be to stem the outflow of it from lawsuits and increased insurance premiums.
I'll be waiting for the first hack/murder to show up on Investigative Discovery... the victim won't even need to have life insurance as incentive for the perpetrator-spouse's big payday.
not money - terror (Score:2, Insightful)
Imagine a broad attack where people in hospitals start dieing from the equipment. Add in attacks on other infrastructure and you'll have 9/11 times a thousand.
Re: (Score:2)
What? You don't remember the order of operation?
Re:how does anyone make money off this? (Score:5, Informative)
all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?
It's a way to get medical records.
Once you have a medical record, then you can bill medicare and insurance companies for tens of thousands of dollars through your phony company.
You need the medical record not only for the patient name, address, SS #, but also because the fraudulent billings need to be consistent with existing medical conditions.
Credit card theft is petty cash compared to the hundreds of millions of dollars fraudulent medical billing brings in.
Re:how does anyone make money off this? (Score:4, Insightful)
The Ashley Madison hacks weren't about money... it was about righteous indignation. There is every reason to believe that when a high profile person with a "differing" point of view needs to go into the hospital for something, that this very thing could happen. Plus I'm sure there is some hacker out there who believes there is street cred to be had by being the first person to commit a murder *directly* through the internet.
Re:how does anyone make money off this? (Score:4, Informative)
Re: (Score:3)
Malpractice suit? Wrongful death lawsuit? Contract killing? Free medication? Lots of opportunity for money. A junkie isn't the most likely person to hack their medication dispenser or a Pyxis, but there are people that might have a vested interest.
Re: (Score:3)
stealing CC cards
Did you visit the ATM machine and type in your PIN number?
Did you dive with a SCUBA apparatus?
Stealing credit card cards would be a strange thing to do, I'm not even sure what a card card is, is it a card made out of card stock?
For an on topic reply; perhaps the hacking will be used to blackmail the hospital. It isn't like the hospital can really fix the security issues as it is FDA approved devices, they can only be fixed by the manufacturer, and it requires all kinds of approvals to be attained on the up
Re: (Score:2)
Re: (Score:3)
Is it really so hard to imagine blackmail?
1: Gain access to hospital equipment
2: Make something fail
3: Send blackmail notice with details of what failed, threatening to start killing patients en masse unless XXX bitcoin is delivered to such and such address.
4: Profit...
the vendors don't let them do the updates on the (Score:2)
the vendors don't let them do the windows / os updates on the devices.
Re: (Score:3, Interesting)
Re: (Score:2)
So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.
There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.
Actually, the certification requirements. (Score:2)
So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.
There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.
In some respects I agree with you. In a perfect world all the devices would be re-certified with every patch as soon as the patch is available, updated promptly, and all the latest security safeguards in place. They would be re-certified and verified to meet all the latest security requirements, safety requirements, and efficacy requirements.
However, these are not home computers.
These are medical devices that must meet strict certification requirements that they do exactly what they say they do.
Any time
Re: (Score:3)
And this is where the anti-regulation assholes drop in and start whining about the free market and the burdens of regulation, etc etc etc.
Hint: For-profit companies don't do things out of the goodness of their hearts. Until it starts to cost them money (fines for violating the regs) they do not give a single fuck. If people start dying, they'll just
It's all about money (Score:2)
That's because the vendors are concerned the updates could break the device
No they aren't. They don't do updates because they get no money for the updates. If there was money to be made in maintaining these devices then you can be sure they would do it. Additionally if they make changes to certain devices they have to get them recertified which is a huge and expensive proposition.
Just follow the dollars and it all makes sense.
Re: (Score:2)
These devices are not generally in some server room with limited physical access.
The M&M security model sucks, sure it can mitigate things till patches can get applied but it's not a long term solution.
Vendors know the products are insecure (Score:2)
It's not just that, it's also that vendors assume that hospitals have competent IT departments and devices will be appropriately firewalled away from the rest of the network.
Vendors of these products know damn well that hospitals routinely lack competent IT departments and they know (or should know) that they will be improperly secured if they are secured at all.
Re: (Score:3)
No some vendors say there system can't be walled off and we need remote access to them / they must be able to send data to our systems. Have you read the list of ports that are doc's say must be open to us?
Re: (Score:2)
Re: (Score:2)
That isn't necessarily a reason not to do it.
Re: (Score:3)
It's worse than that. Even the machines in doctors offices are vulnerable, because they are only supposed to install HIPA approved software, and so, e.g., they run the (presumably) most recently approved version of MSWindows. Connected to the internet.
Basically there's no awareness of even a potential threat.
OTOH, they don't browse random web sites. They may not have Flash installed. (I didn't ask to check just what they had installed, it was just blatantly MSWindows...I don't even know which version.)
This is not surprising (Score:1, Insightful)
Medical equipment vendors definitely need to address this.
However, that being said, anyone that hacks medical devices should be taken out and shot. This would be a good cause for reviving capital punishment in those jurisdictions that have retired it.
Re: (Score:2)
Well buying drugs from Canada can land in jail / prison / court as the laws are written so that may not be far off.
Re: This is not surprising (Score:4, Insightful)
It continually amazes me how much so many people don't care about security, or design it in as an afterthought. I've worked on the Linux client for a MMORPG, and their entire security model was built around "TCP will protect us". No actual attempt to verify that packets coming from a client or the server were actually from who they said they were. No attempt to make sure that any fields within them were valid. And no care to actually fix the problem out of fear of "breaking things". I once had to write a zero-day exploit for a particularly egregious bug (based on popen injection) that would allow any ordinary player with a non-hacked client to execute arbitrary other code on other players machines, before they'd let me implement the very simple fix.
For many people, security is "that thing that doesn't matter unless someone is actively abusing it, and then only fix the particular thing that's being actively abused".
Even protocols which practically summon abuse down on them are often designed without any sort of security in mind. I was reading a while back about MainlineDHT, the distributed hash table networking system that enables trackerless torrents in bittorrent. You know, if there's anything out there that you'd expect parties with resources to want to hack (to monitor for copyright abusers, to disrupt the network, to return compromised information, etc) it'd be something like that, they'd be naive to think otherwise. But the protocol is so pathetically weak it practically screams, "Please, Sybil attack us, it'll only take 10 minutes for you to implement the attack!" You can turn a standard MainlineDHT implementation into a Sybil-attacking information simply by changing it to respond to all requests by claiming that you are the host that the client was requesting instead of directing them toward the requested client. The program doesn't even have to remember all the lies it told to other clients, they're trusted instantly and completely, and in fact, the clients that they lied to forward the lies to others. A program that wants to pretend to be a million nodes incurs no additional performance, hardware, or networking requirements over a normal client with just one identity, beyond the data flood that they're trying to receive or manipulate.
Sybils can be hard to entirely prevent, particularly if you want to support clients behind NAT and you don't want to involve any external "trusted" identity-verifying system. But for crying out loud you don't have to make it so easy for them, on a target that you just know people are going to want to attack.
Re:This is not surprising (Score:4, Insightful)
Which is your naive way of saying you don't think there are bad people in the world, and that you don't believe people do malicious things just for the hell of it. I have no such faith in humanity. In fact, I take it as a certainty it will happen.
So, let's ratchet this up a little.
Say, for instance, that the president of country A is known to have a heart problem. Now, say that country B has been the sworn enemy of country A ever since that crushing loss at the Quidditch World Cup in the 1800s.
Now, say that the president of country A is going in for heart surgery in a few months.
Do you really think a determined nation state might not decide that this is a great way to do an assassination? Before you say "of course not, that's silly", I remind you that Stuxnet existed to target and ruin very specific things, which means nation states already do this.
Now, take this to the level of really scary ... imagine bored script kiddies can access and muck with medical devices at will just for the lulz.
Because, really, I don't see any reason why these scenarios can't, won't, or haven't already happened.
And while it's been a fairly open secret that medical devices have terrible security for years, now it's been fairly well confirmed publicly that medical devices have utterly terrible security. Which means I think the likelihood of this has moved from "plausible" to "start planning for it".
This should be a wakeup call. It's bad enough every piece of consumer electronics and the entire IoT apparently have crap security, if any at all. But having pretty much every medical device be almost without any form of security is scary.
Re: (Score:3)
Yes, let's take, for example, the morphine pump. The CADD Prizm - the most widely used, at least in the US morphine pump. It has no network capacity, requires a proprietary cable, and must be physically accessed to make changes. Data is retrieved bi-monthly when used in the home or more frequently in a clinical setting. Anyone who has access has far more simple (and less traceable) ways to cause harm to the patient.
I don't actually know of any other brands certified for use in the US. There may be others bu
Re: (Score:2)
Do you live under a rock?
Somewhere in the last 10 years we flipped from all this crap being dorky fiction and bad movies to realizing there is no such thing as too damned paranoid. In the case of medical devices ... well, they're stuck in the stone age of computer security.
Now the most far fetched scenario (which I will freely admit mine is) has to be weighed against what we know can actually happen.
What used to be fully tin-foil-hat paranoid 10 years ago is, unfortunately, q
Re: (Score:2)
People under 30 think they are invincible; why would they ever need to go to the hospital?
In truth, the only barriers are a few systems that have double-custody protection, and that is piss-poor protection when both systems go back to the same TER. Implanted devices scare the living shit out of me though; no fail-safe, no double-custody, etc.
Re: (Score:3)
I worked in hospital IT for over a decade. Your speculation is entirely wrong.
Good idea. Nobody does that.
Separate the security from the device (Score:3)
I'm wondering how feasible it is to have separate devices handle the security.
It should be more feasible than having every device be secure? any programmer from any supplier in the entire hospital can now break the security, and everything is down the drain...
seeing how cheap small computers are now, how hard would it be to put a small secure module before each machine securing everything? I think that would be a far more feasible approach in getting a hospital secure!
Re: (Score:2)
Well, think about it ... if you want to bypass that, you unplug the device from its magic little firewall.
As has been pointed out elsewhere, these things aren't in secure rooms with physical security. They're in patient rooms.
I don't see that really working at all. That's a band-aid solution, but definitely not a solution ... especially since it is likely quite easy to defeat. Anybody with physical access simply unplugs it, and then you're right back to having zero security.
You can't just slap on a piece
Re: (Score:3)
If I put on scrubs and a headcover, I'm willing to bet there's an awful lot of places I can go in a hospital completely unchallenged.
All of what you say is nice, but at present not a single bit of it is employed in the average hospital, which basically means almost every hospital would need to start from the ground up.
If the security of everything is already non-ex
Re: (Score:2)
If the patients, medical staff, or visitor can be considered to be an attacker, then no medical device will ever be secure without physical access restrictions.
The GP's idea should only be used as nearly a last resort, but it's not worthless. This is basically how many SCADA & PLC systems are secured since the device itself has no meaningful security. They're considered to be physically secure however.
So back to the physical access problem. Will these medical devices have to be locked in secure server c
Re: (Score:2)
Well, which is the bigger problem ... solving the terrible computer security, or solving the physical access problem?
Either way, you start off with a problem so huge in scale, and so utterly lacking in proper security, that there simply is no quick fix.
Which means before anybody can make even a dent in it, there is a very real possibil
Re: (Score:2)
The problem with that approach is you raise the likelihood that you security fix has a negative interaction with the device. At that point you are treating it as blackbox. Yes you can figure out what ports it need a throw a firewall in front of it but, that won't protect you from some form of command injection.
So now you firewall has to be protocol aware. Cool is a standard protocol like HTTP or is proprietary and do you have the docs in the latter case. Lets assume its regular HTTP, can we block certain
Re: (Score:2)
Everything in a hospital or modern medical office building is on the network, from access control systems to drug dispensers to refrigerators to the crash cart to the televisions to the CCTV cameras. Much of the equipment is VLAN'd, so to fully p0wn the building you would need to break through many many systems, but the reporting and auditing features pale in comparison to what the financial industry has been doing for the past three decades.
The solutions traditionally applied are defense in depth, and sec
Wow ... (Score:2)
So they're so completely and utterly insecure we can't even tell you how badly insecure most of it is or what we could do with it.
That should be setting off big huge alarm bells for a lot of people, but nobody ever does anything until it's too late.
Vendor patching devices (Score:1)
The medical devices can't be patched without software validation taking place on the device, which means the patches are installed and the V&V teams need to test and verify that the patching does not affect the output of results for these instruments. This happens where I used to work, but not as often as it should, due to $$$. Often times because of this, there are ways to limit physical access, firewall / vlan the device and allowing only the service that is required to perform the function. Of cou
Hospital networks vulnerable (Score:2)
Hospital Security sucks (Score:2)
In the 90's, I worked for a hospital that shall remain nameless. Their billing system had a root password of "Superman", and the vendor (on whom they leaned for everything) wouldn't let them change it. They also assumed phone lines were secure (which is a joke.)
I'd imagine things are better now, but there was really a total lack of security awareness at that time.
This Must Have Already Happened (Score:1)
Re: (Score:2)
Not surprising at all (Score:5, Informative)
I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.
Goodwill of the stranger (Score:2, Interesting)
What security people constantly miss is that our society is kind of founded on the goodwill of the stranger. That's also why there's little physical security at hospitals. Sure there are mentally sick people out there but it takes somebody especially incredibly sick and twisted to turn off somebody's pacemaker just for the hell of it.
I'm all for security, and there are some evil people out there, but really there are reasons why hospitals are often the least secured places anywhere you go
Why do we care? (Score:1)
Why are we holding up these devices up to some insane standards that were never a consideration until "IoT" became the buzz word of the year?
Do you know how many mission critical infrastructure systems are running completely unencrypted, non-obfuscated, clear text RS485/232? Wireless backhauls with next to zero security because who would have the kit to interface with it so why bother locking it down? (20 dollar SDR? What's an SDR?). Your local ISPs reckless abandon of cabling from the drop on the corner to
So? (Score:2)
Re: (Score:2)
What incentive would someone have to make the effort and take the risk to hack these machines?
Don't you think X-ray machine maker A would love to show how horrible X-ray machines made by company B are? They could trigger a new Therac-25 [wikipedia.org] scare by twiddling the firmware.
Re: (Score:2)
Re: (Score:2)
Kinda like all those extra deaths from VW's over-spewing Diesel engines?
Re: (Score:2)
Re: (Score:2)
The ones the gov't will claim are going to happen due to the excess emissions from VW Diesels. That'll be one of their justifications for nailing VW to a cross.
Re: (Score:2)
Its not hard to imagine an ISIS or similar group creating a worm the 'punish the infidels' or warn us against continued melding in the middle east against their interest.
Actually I am really surprised given the fact so much of or infrastructure is a soft target a group like that has not invested in doing so. They would have to pay off one sympethizer to plant a device on hospital network to phone home. Then via reverse tunnel they find some vulns in common hospital equipment. Now they write a worm using
Re: (Score:2)
Re: (Score:2)
Unless lawyers get involved.
Why would lawyers get involved? Oh right, because you're talking about straight up murdering people.
Some things shouldn't be externally accessible (Score:1)
Most medical devices should either be stand-alone or in a "closed network" such as a network that only includes patent-care devices in a single building and doctor-and nurse-accessible workstations around the building, but without any connection to any network or device that touches any outside network.
Exceptions like operating rooms used for tele-medicine/remote-operated-robo-surgery/etc. can be handled as special cases.
If you want to hack them, you'll need to use "out of band/side-channel" techniques like
Happens in all vertical market applications (Score:5, Informative)
It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
- Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
- Simple passwords that can't easily be changed
- Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)
Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.
I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.
Re:Happens in all vertical market applications (Score:5, Insightful)
It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network?
Putting systems that could cause death or widespread mayhem on isolated networks is a good idea regardless of the security of the applications. It's one more layer an attacker has to bypass.
The problem is that doing so has become an excuse to NOT secure the applications.
If you're interested in helping.... (Score:2)
If you're interested in helping with problems like this one, check out this group: https://www.iamthecavalry.org/ [iamthecavalry.org]
They are attempting to make changes in critical infrastructure/industries (think medicial, automotive, etc) which have not had the 'benefit' of learning the lessons yet that we have learned in the web-based IT world over the last 20 years. Let's face it, we can't afford to have a slammer type incident that involves cars or hospitals to open the local Microsoft-equivalent vendor's eyes and have t
It's because no one hates hospitals (Score:2)
If you go through some effort to hack something, you are doing it for some reason.
1- You might be doing it for the lulz, in which case, you probably are taking some pains to not totally screw your victim. If you look at actual full fledged computer viruses from an era when the vector (floppy disk) and targets (DOS box) were pretty reliably similar, you'll see the majority of the viruses just screwed with you. They'd invert some text. One replaced every "Microsoft" string on your machine with "Machosoft".
BlackBerry to the rescue (Score:2)
Its not exactly what you think. (Score:1)