Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Medicine

It's Way Too Easy To Hack the Hospital (bloomberg.com) 116

schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.

Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."

This discussion has been archived. No new comments can be posted.

It's Way Too Easy To Hack the Hospital

Comments Filter:
  • by known_coward_69 ( 4151743 ) on Friday November 13, 2015 @10:05AM (#50921273)
    all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?
    • by amalcolm ( 1838434 ) on Friday November 13, 2015 @10:11AM (#50921319)
      When I'm lying on an oncology machine about to be zapped with high-power microwaves I'd prefer not to have to worry about some wanker changing the dose (up OR down) just for kicks.
      • by Anonymous Coward

        Good, than you have little worry that this will or can happen. The article suggests that hacking machines to cause harm is trivial. I happen to know a thing or 3 about 'oncology machines' (Radiation Therapy accelerators)...it is not that trivial to get them to do something they shouldn't be doing. Can it be done? Sure if you own the entire stream of communication you might be able to do it, but even then you have to have significant skills & in depth knowledge of the communication protocol of the machin

        • by Anonymous Coward

          Sure there's an analog kill switch, etc.

          But if you read the reports of a lethal bug in the Therac 25, patients were in the treatment room being literally burned to death, yelling that they were in pain, but the operator didn't shut the machine down. Why? Because the intercom was broken.

    • by Anonymous Coward

      don't forget blackmail revenge etc... ask ed snowden the value of your md chart here on /. ? for marketing health scare hypenosys,,, not much you say but it could add up to both physical & spiritual paralysis deepending on which side of the stretcher we fall under?

    • by rmdingler ( 1955220 ) on Friday November 13, 2015 @10:27AM (#50921457) Journal

      all the big hacks have been around money.

      You can bet money will be the impetus for industry reform in this, as well.

      The operative difference is it will be to stem the outflow of it from lawsuits and increased insurance premiums.

      I'll be waiting for the first hack/murder to show up on Investigative Discovery... the victim won't even need to have life insurance as incentive for the perpetrator-spouse's big payday.

    • not money - terror (Score:2, Insightful)

      by Anonymous Coward

      Imagine a broad attack where people in hospitals start dieing from the equipment. Add in attacks on other infrastructure and you'll have 9/11 times a thousand.

    • by clovis ( 4684 ) on Friday November 13, 2015 @10:41AM (#50921587)

      all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?

      It's a way to get medical records.
      Once you have a medical record, then you can bill medicare and insurance companies for tens of thousands of dollars through your phony company.
      You need the medical record not only for the patient name, address, SS #, but also because the fraudulent billings need to be consistent with existing medical conditions.

      Credit card theft is petty cash compared to the hundreds of millions of dollars fraudulent medical billing brings in.

    • by Lab Rat Jason ( 2495638 ) on Friday November 13, 2015 @11:08AM (#50921823)

      The Ashley Madison hacks weren't about money... it was about righteous indignation. There is every reason to believe that when a high profile person with a "differing" point of view needs to go into the hospital for something, that this very thing could happen. Plus I'm sure there is some hacker out there who believes there is street cred to be had by being the first person to commit a murder *directly* through the internet.

    • by ageoffri ( 723674 ) on Friday November 13, 2015 @11:51AM (#50922251)
      I support a health care company and the hacks are often about money. Gain access to an unsecured medical device, then pivot to other internal systems with the goal to get into the billing records. Exfiltrate patient data, especially the records of minors. A minor's SSN is very valuable, because how many parents check the credit report of their kids? So a bad guy could have years to nearly 2 decades of access to a SSN that isn't monitored.
    • Malpractice suit? Wrongful death lawsuit? Contract killing? Free medication? Lots of opportunity for money. A junkie isn't the most likely person to hack their medication dispenser or a Pyxis, but there are people that might have a vested interest.

    • stealing CC cards

      Did you visit the ATM machine and type in your PIN number?

      Did you dive with a SCUBA apparatus?

      Stealing credit card cards would be a strange thing to do, I'm not even sure what a card card is, is it a card made out of card stock?

      For an on topic reply; perhaps the hacking will be used to blackmail the hospital. It isn't like the hospital can really fix the security issues as it is FDA approved devices, they can only be fixed by the manufacturer, and it requires all kinds of approvals to be attained on the up

    • I'll bet there are ways to gain access to all sorts of fun and expensive drugs on the hospital's dime if you get into whatever they use for inventory/procurement.
    • Is it really so hard to imagine blackmail?

      1: Gain access to hospital equipment
      2: Make something fail
      3: Send blackmail notice with details of what failed, threatening to start killing patients en masse unless XXX bitcoin is delivered to such and such address.
      4: Profit...

  • the vendors don't let them do the windows / os updates on the devices.

    • Re: (Score:3, Interesting)

      by naris ( 830549 )
      That's because the vendors are concerned the updates could break the device. Which is a valid concern as there have been many OS updates that have broke stuff over the years. Pretty much ever OS has had this issue at one time or another, not just Windows.
      • So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.

        There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.

        • So have a division of the medical device company dedicated to Q/Aing Windows updates. This is an easy problem to solve, and frankly the manufacturer should be held responsible for the inevitable malpractice lawsuits.

          There is no reason that a medical device should be as much as a month out of date on updates, let alone the years and years out of date these devices get to be.

          In some respects I agree with you. In a perfect world all the devices would be re-certified with every patch as soon as the patch is available, updated promptly, and all the latest security safeguards in place. They would be re-certified and verified to meet all the latest security requirements, safety requirements, and efficacy requirements.

          However, these are not home computers.

          These are medical devices that must meet strict certification requirements that they do exactly what they say they do.

          Any time

          • by BVis ( 267028 )

            When "install the latest Windows update" comes with a $261,388 fee to re-certify, any business is going to reject that idea unless they are required to do it.

            And this is where the anti-regulation assholes drop in and start whining about the free market and the burdens of regulation, etc etc etc.

            Hint: For-profit companies don't do things out of the goodness of their hearts. Until it starts to cost them money (fines for violating the regs) they do not give a single fuck. If people start dying, they'll just

      • That's because the vendors are concerned the updates could break the device

        No they aren't. They don't do updates because they get no money for the updates. If there was money to be made in maintaining these devices then you can be sure they would do it. Additionally if they make changes to certain devices they have to get them recertified which is a huge and expensive proposition.

        Just follow the dollars and it all makes sense.

    • Right, that would require re-validation, which is time consuming and expensive.
    • by HiThere ( 15173 )

      It's worse than that. Even the machines in doctors offices are vulnerable, because they are only supposed to install HIPA approved software, and so, e.g., they run the (presumably) most recently approved version of MSWindows. Connected to the internet.

      Basically there's no awareness of even a potential threat.

      OTOH, they don't browse random web sites. They may not have Flash installed. (I didn't ask to check just what they had installed, it was just blatantly MSWindows...I don't even know which version.)

  • by naris ( 830549 )

    Medical equipment vendors definitely need to address this.

    However, that being said, anyone that hacks medical devices should be taken out and shot. This would be a good cause for reviving capital punishment in those jurisdictions that have retired it.

    • by gstoddart ( 321705 ) on Friday November 13, 2015 @10:44AM (#50921619) Homepage

      However, that being said, anyone that hacks medical devices should be taken out and shot

      Which is your naive way of saying you don't think there are bad people in the world, and that you don't believe people do malicious things just for the hell of it. I have no such faith in humanity. In fact, I take it as a certainty it will happen.

      So, let's ratchet this up a little.

      Say, for instance, that the president of country A is known to have a heart problem. Now, say that country B has been the sworn enemy of country A ever since that crushing loss at the Quidditch World Cup in the 1800s.

      Now, say that the president of country A is going in for heart surgery in a few months.

      Do you really think a determined nation state might not decide that this is a great way to do an assassination? Before you say "of course not, that's silly", I remind you that Stuxnet existed to target and ruin very specific things, which means nation states already do this.

      Now, take this to the level of really scary ... imagine bored script kiddies can access and muck with medical devices at will just for the lulz.

      Because, really, I don't see any reason why these scenarios can't, won't, or haven't already happened.

      And while it's been a fairly open secret that medical devices have terrible security for years, now it's been fairly well confirmed publicly that medical devices have utterly terrible security. Which means I think the likelihood of this has moved from "plausible" to "start planning for it".

      This should be a wakeup call. It's bad enough every piece of consumer electronics and the entire IoT apparently have crap security, if any at all. But having pretty much every medical device be almost without any form of security is scary.

  • by Racemaniac ( 1099281 ) on Friday November 13, 2015 @10:23AM (#50921427)

    I'm wondering how feasible it is to have separate devices handle the security.
    It should be more feasible than having every device be secure? any programmer from any supplier in the entire hospital can now break the security, and everything is down the drain...
    seeing how cheap small computers are now, how hard would it be to put a small secure module before each machine securing everything? I think that would be a far more feasible approach in getting a hospital secure!

    • Well, think about it ... if you want to bypass that, you unplug the device from its magic little firewall.

      As has been pointed out elsewhere, these things aren't in secure rooms with physical security. They're in patient rooms.

      I don't see that really working at all. That's a band-aid solution, but definitely not a solution ... especially since it is likely quite easy to defeat. Anybody with physical access simply unplugs it, and then you're right back to having zero security.

      You can't just slap on a piece

      • If the patients, medical staff, or visitor can be considered to be an attacker, then no medical device will ever be secure without physical access restrictions.

        The GP's idea should only be used as nearly a last resort, but it's not worthless. This is basically how many SCADA & PLC systems are secured since the device itself has no meaningful security. They're considered to be physically secure however.

        So back to the physical access problem. Will these medical devices have to be locked in secure server c

        • So back to the physical access problem. Will these medical devices have to be locked in secure server cages next to each patient's bed regardless of their programming, or not?

          Well, which is the bigger problem ... solving the terrible computer security, or solving the physical access problem?

          Either way, you start off with a problem so huge in scale, and so utterly lacking in proper security, that there simply is no quick fix.

          Which means before anybody can make even a dent in it, there is a very real possibil

    • by DarkOx ( 621550 )

      The problem with that approach is you raise the likelihood that you security fix has a negative interaction with the device. At that point you are treating it as blackbox. Yes you can figure out what ports it need a throw a firewall in front of it but, that won't protect you from some form of command injection.

      So now you firewall has to be protocol aware. Cool is a standard protocol like HTTP or is proprietary and do you have the docs in the latter case. Lets assume its regular HTTP, can we block certain

    • Everything in a hospital or modern medical office building is on the network, from access control systems to drug dispensers to refrigerators to the crash cart to the televisions to the CCTV cameras. Much of the equipment is VLAN'd, so to fully p0wn the building you would need to break through many many systems, but the reporting and auditing features pale in comparison to what the financial industry has been doing for the past three decades.

      The solutions traditionally applied are defense in depth, and sec

  • The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so manyâ"defenseless operating systems, generic passwords that couldn't be changed, and so on.

    So they're so completely and utterly insecure we can't even tell you how badly insecure most of it is or what we could do with it.

    That should be setting off big huge alarm bells for a lot of people, but nobody ever does anything until it's too late.

  • by Anonymous Coward

    The medical devices can't be patched without software validation taking place on the device, which means the patches are installed and the V&V teams need to test and verify that the patching does not affect the output of results for these instruments. This happens where I used to work, but not as often as it should, due to $$$. Often times because of this, there are ways to limit physical access, firewall / vlan the device and allowing only the service that is required to perform the function. Of cou

  • In my experience, the hospital networks are also extremely vulnerable. IT at hospitals is focused on making sure interactions with insurance go smoothly, the doctors are happy and the next remodel. They have added guest networks to appease their clientele without one thought to security. The result being you can see anything from anywhere, so not only are hospitals full of vulnerable equipment, they are full of vulnerable easily accessed equipment.
  • In the 90's, I worked for a hospital that shall remain nameless. Their billing system had a root password of "Superman", and the vendor (on whom they leaned for everything) wouldn't let them change it. They also assumed phone lines were secure (which is a joke.)

    I'd imagine things are better now, but there was really a total lack of security awareness at that time.

  • I doubt that the goodwill of strangers has been enough to keep people from hacking these devices, and I doubt that those lacking that goodwill haven't yet thought to hack hospitals, especially if someone of note was known to stay at a hospital for whatever reason. Probably the only reason nobody has heard of anything really bad happening as a result of hacking is that actual patient interaction (for drug administration, monitoring, etc.) still requires physical presence of medical staff. Once that changes,
  • The chattering classes were all "ooohhh portable electronic records" and this and that about the transformative impact of technology without any appreciation for the absolute, non-negotiable need for a security first posture. Of all private sector systems, hospitals are the closest (with a few other industries like utilities) to the use case for a classified government network on security.

    This won't be fixed until the federal government and states get together and task the DNI with drafting guidelines deriv

  • by sjbe ( 173966 ) on Friday November 13, 2015 @10:42AM (#50921599)

    I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.

  • by Anonymous Coward

    What security people constantly miss is that our society is kind of founded on the goodwill of the stranger. That's also why there's little physical security at hospitals. Sure there are mentally sick people out there but it takes somebody especially incredibly sick and twisted to turn off somebody's pacemaker just for the hell of it.

    I'm all for security, and there are some evil people out there, but really there are reasons why hospitals are often the least secured places anywhere you go

  • by Anonymous Coward

    Why are we holding up these devices up to some insane standards that were never a consideration until "IoT" became the buzz word of the year?

    Do you know how many mission critical infrastructure systems are running completely unencrypted, non-obfuscated, clear text RS485/232? Wireless backhauls with next to zero security because who would have the kit to interface with it so why bother locking it down? (20 dollar SDR? What's an SDR?). Your local ISPs reckless abandon of cabling from the drop on the corner to

  • by rhazz ( 2853871 )
    And yet I'm not actually worried about going to the hospital and getting irradiated to death from a hacked x-ray machine. What incentive would someone have to make the effort and take the risk to hack these machines? The actual likely fallout from such a thing might be some invalid test results, and maybe even one or two direct deaths from an exploding MRI. The best scenario I can think of would be a foreign nation just wanting to do general economic damage to a country, but targeting a hospital would put t
    • What incentive would someone have to make the effort and take the risk to hack these machines?

      Don't you think X-ray machine maker A would love to show how horrible X-ray machines made by company B are? They could trigger a new Therac-25 [wikipedia.org] scare by twiddling the firmware.

      • by rhazz ( 2853871 )
        Certainly they would, but this isn't a case of sabotage causing a rival company's customers an inconvenience that might result in a fine if they ever got caught. This would be knowingly causing direct injury and death - there would be no corporate protection, people would go to jail for assault and manslaughter.
    • by DarkOx ( 621550 )

      Its not hard to imagine an ISIS or similar group creating a worm the 'punish the infidels' or warn us against continued melding in the middle east against their interest.

      Actually I am really surprised given the fact so much of or infrastructure is a soft target a group like that has not invested in doing so. They would have to pay off one sympethizer to plant a device on hospital network to phone home. Then via reverse tunnel they find some vulns in common hospital equipment. Now they write a worm using

      • by rhazz ( 2853871 )
        Yes but, again, time and effort versus actual damage caused? If ISIS actually had someone willing to take risks who had access to a hospital, they could just build a homemade bomb and set it off in the hospital lobby. That's likely to do far more damage in lives, injuries, financial, etc, and takes about a hundredth of the effort. Why scare a very small percentage of people who might have to get an MRI this year when you can make everyone afraid of even entering a hospital?
  • Most medical devices should either be stand-alone or in a "closed network" such as a network that only includes patent-care devices in a single building and doctor-and nurse-accessible workstations around the building, but without any connection to any network or device that touches any outside network.

    Exceptions like operating rooms used for tele-medicine/remote-operated-robo-surgery/etc. can be handled as special cases.

    If you want to hack them, you'll need to use "out of band/side-channel" techniques like

  • by ErichTheRed ( 39327 ) on Friday November 13, 2015 @11:17AM (#50921901)

    It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
    - Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
    - Simple passwords that can't easily be changed
    - Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)

    Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.

    I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.

    • by eth1 ( 94901 ) on Friday November 13, 2015 @11:25AM (#50921987)

      It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network?

      Putting systems that could cause death or widespread mayhem on isolated networks is a good idea regardless of the security of the applications. It's one more layer an attacker has to bypass.

      The problem is that doing so has become an excuse to NOT secure the applications.

  • If you're interested in helping with problems like this one, check out this group: https://www.iamthecavalry.org/ [iamthecavalry.org]

    They are attempting to make changes in critical infrastructure/industries (think medicial, automotive, etc) which have not had the 'benefit' of learning the lessons yet that we have learned in the web-based IT world over the last 20 years. Let's face it, we can't afford to have a slammer type incident that involves cars or hospitals to open the local Microsoft-equivalent vendor's eyes and have t

  • If you go through some effort to hack something, you are doing it for some reason.

    1- You might be doing it for the lulz, in which case, you probably are taking some pains to not totally screw your victim. If you look at actual full fledged computer viruses from an era when the vector (floppy disk) and targets (DOS box) were pretty reliably similar, you'll see the majority of the viruses just screwed with you. They'd invert some text. One replaced every "Microsoft" string on your machine with "Machosoft".

  • Everyone is so focused on BlackBerry's supposed death spiral due to their loss of market share in the mobile phone arena they forget that BlackBerry isn't a phone company. BlackBerry is a secure mobile communications company. To that end they supply the most stable and secure OS in the medical industry (QNX) [qnx.com] and are working with NantHealth [nanthealth.com] to supply an end-2-end secure medical communications system. My first real job in electronics was working for a pacemaker OEM. The device we used to program pacemakers ba
  • Caveat, Most everything said above is true, but... I work in hospital IT, we don't go near anything like these devices. They are FDA approved - If a WD HDD goes out in a device I can't even replace it with the same model from CDW, the replacement has to come from the vendor with an FDA sticker on it. The "Sticker Price" is usually about $500... We have a BioMed department that handles all that and I work with them often. Very few devices are network connected, most all are stand-alone. Most all devices

BASIC is the Computer Science equivalent of `Scientific Creationism'.

Working...