Has your credit card ever been hacked? What if a text message like this were to appear on your smartphone: “Re: Visa Card #1234. To continue using your card, please verify these three transactions: 02/08 XYZ Computers $679.57 (declined), Starbucks $12.77 (approved), CVS Pharmacy $25.49 (approved). If you attempted all three of these transactions, reply YES. If you do not recognize one or more of these transactions, reply NO.”
You did not order or buy anything from XYZ Computers. You reply “NO.” You receive a second text message: “Your credit card has been restricted. Please call Visa.” When you call, you learn that someone in Mississippi (you live in Oregon) attempted to make a purchase using your credit card and security code.
Yes, your card was hacked. You must get a new one, with all the hassle that entails. But the bank caught it — in time — and declined payment, protecting both you and the bank.
Banks use algorithms to monitor credit card usage. They know your habits. They know where you live. They know where you shop — places like Starbucks and CVS. Based on their experience, they recognize when something doesn’t look right. And they stop it.
The same approach, using advanced technology, is being used to identify and prevent attempted hacks on the "internet of things." “Things” now includes a multitude of connected medical devices, such as infusion pumps, vital sign monitors, pacemakers and ventilators.
From an attacker’s perspective, each device is nothing more than a small computer. Data come in and data go out, sometimes to servers in the hospital, sometimes to or from those of the device manufacturer and sometimes to or from the cloud. Any such device is subject to nefarious penetration and can be used as a stepping stone to retrieve a wealth of potentially valuable information.
Hospitals and health systems must secure medical devices in the same way that banks ensure the security of the credit cards they issue. There are proactive ways they can identify and mitigate potential risks.
The traditional approach to preventing an organization’s network from being compromised is by having a firewall. This is a high-level barrier that identifies and prevents intrusion at the facility level. When working as designed, the firewall blocks attacks before they infiltrate individual devices or computers on the hospital’s intranet. While this is a mature technology, it is still vulnerable to attacks from within the hospital, such as those from an employee's unknowingly infected cellphone.
A complementary approach uses an intrusion-detection system. This approach detects network intrusions inside the organization, but it can be dependent on the behavior of internal users, leading to false-positive reports to system administrators.
A third approach uses what is known as a device-management system. This makes devices connected to the hospital network visible, helping administrators control who is connected and who is allowed to connect. Although such visibility is useful, it may be insufficient to identify which of perhaps thousands of devices is infected before an attack can be carried out.
'Pentesters' and hackers
Typically, cybersecurity work that identifies and mitigates risks such as these is done by “pentesters,” information technology specialists who attempt to penetrate a device. Think of them as “white-hat hackers.”
A pentester’s goal, like that of a hacker, is to break into the device and gain control without proper authorization. The pentester, however, is doing so to alert device manufacturers to potential vulnerabilities and suggest improvements before attackers can take advantage of them. The report on the IV infusion pump mentioned in the sidebar at the end of the story is the work of a pentester, and the problem was fixed before the report was released.
A pentester evaluates a target device just as an attacker does. He or she assumes minimal knowledge of the hospital’s information technology system, the network services running on the device, or the usernames or passwords of the device or system.
Usernames and passwords are the key. Breaking into a connected device is no different from breaking into your home. It helps to have a key.
Keys to devices may be guessed by trial and error. A device may use the same password as other devices. Thanks to the internet (and users who are not careful with their passwords), attackers have a veritable dictionary of username/password combinations plus ways to guess passwords from usernames. This approach is like finding the key to your house under the mat.
If this approach fails, attackers simply can purchase a device and hot-wire it by using the manufacturer’s default password — usually the same for each model. This approach may provide the most robust access to everything needed to uncover the functionality and connections available between a device and a server.
Once the attacker finds the password or has the device hot-wired, he or she is one step closer to gaining control of the device and ultimately the external connections to the hospital’s IT system. Accessing the device (and its connected servers, which may require weak or no authorization) allows attackers to intercept all of the network traffic into and out of the device.
In the report on the infusion pump, the pentester worked from the actual device, hot-wired it, gained access to every system detail — including both hardware and software connections — and learned how the device could be exploited.
Unfortunately, hackers aren’t pentesters. They aren’t wearing the white hats. Their goal in attacking connected medical devices is money. (It rarely is to inflict personal injury.) Once they have control of a device, they use it to gain access to the entire network of the health care organization. Money is the reason why Willie Sutton robbed banks and not bars. Social Security numbers, sensitive personal data and even credit card information are attackers’ holy grail. They may also use access to the device to encrypt data for ransom, infect other devices with malware or flood servers on the internet with garbage data.
When a device vulnerability is discovered by security professionals, the industry's current process is to:
- Notify the manufacturer, describe the problem, and suggest a fix.
- Await the manufacturer’s response.
- Allow the manufacturer a typical grace period of three to six months to release a security patch or recall the device.
- Notify the general public at the end of the grace period. (This notification, or recall, is often vague to avoid providing helpful details to other attackers; it, however, may be too late to prevent intervening attacks.)
Retroactively identifying and responding to an attack is appropriate. Proactively protecting devices and preventing an intrusion is better. But what does “protect” mean?
New approaches to cybersecurity use artificial intelligence to monitor traffic in and out of each connected device and alert the network security professional when an attack is attempted, proactively blocking it in real time before any access can be gained and damage done.
Traditional intrusion-detection systems monitor an organization’s entire network — a mixture of human behavior and device behavior. By modifying IDS with AI, protection now can focus on the behavior of individual devices (the behavior of which is far more predictable).
Medical devices, like our credit cards, are not connected to a network all the time. When they are, there is an expected pattern of behavior. The flow of information into and out of a device should be predictable and routine.
Using AI to differentiate between normal and abnormal communications, professionals can watch the device's network behavior in real time and determine if the device is listening to or talking to networks, servers or individuals that it should not be.
Thus, when a hacker attempts to send malicious commands to a vulnerable device, the communication can be blocked or quarantined before the device is accessed or controlled. The device remains unchanged, functionality is uninterrupted, and a dashboard alert is sent to the network’s security manager immediately.
Think of how your email service is able to recognize junk mail. It knows whom to trust and whom not to trust. If mail from an unknown sender attempts to enter your inbox, your service is able to quarantine it and give you a chance to prevent damage to your system. This, too, is all done with AI in real time, not after you have opened the email.
Similarly, using this approach for connected medical devices provides immediate identification of attacks and vulnerabilities; immediate protection and uninterrupted use of the device; protection from network intrusion and compromise; and time for manufacturers to incorporate more secure firmware into subsequent iterations of their products.
As an enhancement of current security measures, AI can be taught to recognize who is and is not authorized to send information to, or request information from, a connected medical device. Hence, unauthorized attacks and attackers can be intercepted and blocked.
This means of detection and protection must work on the hospital’s own network, monitoring activity between devices and the network’s servers, not activity on the device itself or in the cloud. This approach can prevent access by unauthorized users while eliminating the need to modify or reconfigure the device. And it can be done in real time, not after a device has been compromised and higher-level servers have been breached — that is, after the damage has been done.
Security technology must intercept and prevent attacks on connected medical devices proactively. New approaches to technology can provide patients, staff, health care organizations and manufacturers a higher level of comfort and security than is available through older, reactive approaches. As always, an ounce of prevention is worth a pound of cure.
Song Li (LS@newskysecurity.com) is chief technology officer of NewSky Security in Redmond, Wash. Charles Pilcher, M.D. (firstname.lastname@example.org), is a trustee and chair of the board quality committee at EvergreenHealth in Kirkland, Wash. John Gepford (email@example.com) is director of information systems at EvergreenHealth Monroe (Wash.).
These are just two examples of the vulnerability of the "internet of things" in health care settings:
- A security researcher is able to hack an IV infusion pump. He publishes a detailed report on his findings.
- University of Chicago cybersecurity experts discover that the school’s network printers can be used to retrieve sensitive patient and financial information.
Problems with current practices
While the older, reactive practice for fixing cybersecurity vulnerabilities in medical devices is well-designed, the reality is that it is not always followed consistently. Here are a few obstacles:
Uncooperative manufacturers: Updates and recalls are expensive for device manufacturers. Updates and recalls also can hurt sales.
Slow patches: Since vulnerabilities can affect more than one version of a device, each patch must be tested. Updating the entire device population with security patches, or even a recall, can take time.
Out-of-date knowledge: Ideally, a cooperative manufacturer will release a robust patch that resolves a vulnerability and updates all devices within the grace period allowed. Even then, however, a vulnerability may be three to six months old, during which time devices may be compromised. More rapid announcement of a vulnerability, and its resolution, would be a better response, but this is difficult for manufacturers to achieve, for two reasons:
- The announcement may require proof-of-concept software code to show that a vulnerability is real. If this code is leaked in any way, other attackers can learn of the vulnerability and create new attacks, putting more devices at risk before fixes are in place. Even a brief summary of the vulnerability may be sufficient to inspire an attacker. Either way, when a device is compromised before a patch is in place, the device no longer can be trusted — whether patched or not.
- Attackers can revise their strategy or seek other vulnerabilities while the manufacturer spends three to six months creating a fix for the one found. By then, the attackers may have identified new vulnerabilities and created more havoc.
— Song Li, Charles Pilcher, M.D., and John Gepford
As they consider the cybersecurity vulnerabilities of devices in their organization, hospital and health system boards can ask a number of questions:
- A patient’s monitor in the intensive care unit records vital signs every 15 minutes. Do we know where that information goes?
- The manufacturer of an infusion pump needs to update the software in the device. Do we know if that update can be done remotely?
- What if a staff member were to report that a copy machine is responding erratically? How would we know if the machine had been hacked?
- What is our information technology department doing to protect medical devices from hackers?
- What is our hospital doing to protect patients who are wearing the devices?
— Song Li, Charles Pilcher, M.D., and John Gepford