When medical devices and hospital networks become a health risk
The Food and Drug Administration (FDA) recently issued guidance to medical device manufacturers recommending they employ a structured and systematic approach to addressing continually evolving risks.
Within a week of issuing the guidance, Kaspersky Lab researcher Sergey Lozhkin was shedding light on the real-world story of how relatively easy it is for a hacker to break into a hospital network and take control over medical devices. So, what do “insecure” hospital networks, medical devices and genetically modified organisms have in common? They all pose potentially catastrophic health risks to us and our loved ones.
Case and point, I went to see my chiropractor yesterday for a routine “adjustment” and as the last patient of the day, we had an interesting conversation about health, and what we do to stay healthy. A few minutes into the conversation, we started discussing nutrition and the impact of GMOs vs strictly organic diet. There is a lot of attention and publicity on this topic, i.e. the Kardashian’s new Atkins diet to Monsanto fined $80 million for accounting violations. However, while there are a plethora of studies on health risks associated with GMO and the bovine growth hormone we periodically ingest at the local steakhouse, issues associated with cyber “insecurity” of mobile connected devices and applications in the medical industry are arguably less known to many.
The recent research at Kaspersky Lab reflects the frightening real picture. Attacks against medical devices do not necessarily stop at exposing patient data such as diagnoses and medical treatments. They allow an attacker complete and unobstructed access to patient monitors, MRI devices and management applications. This could lead to catastrophic results – if the attacker’s intention is to cause physical harm, all they need to do is reconfigure the compromised device or control application.
The problem is compounded and potential network attack surface multiplied as many of these devices are connected to the Internet providing physician’s access via remote interfaces.
“Security is a chain; it is only as secure as the weakest link”, said by Bruce Schneier in his book entitled “Secrets and Lies”. I hesitate to comment on which was worse in Lozhkin’s ethical hacking exercise involving a hospital in Moscow; brute-forcing the network Wi-Fi credentials due to ineffective configuration and easy passwords; or taking over the control panel of an MRI machine that was not password protected. As it turns out, thousands of medical devices have software vulnerabilities and are poorly configured. A recent presentation at the DerbyCon security conference by researchers Scott Erven and Mark Collao exposed how connected medical devices can be located online by searching for terms like “radiology” and “podiatry” in Shodan, a search engine for locating Internet-connected devices.
Relying on technology to reduce human errors is a critical strategy for hospitals if they want to successfully and safely serve their patient population, and ultimately reduce the number of potential fatalities. All of these factors rely on medical device security, as well as network uptime and performance, especially as networks become more reliant on wireless technology. Cost of disruption in network communications and reliability of devices can include loss of life, and clearly less critical, but important, liabilities to healthcare administrators.
Ensuring this level of reliability, speed, and security requires end-to-end, continuous testing to ensure networks and vital data they hold, are protected against potential threats. Ixia’s test and security solutions can help manage the unpredictable world of IT and protect against these security threats. Ixia’s BreakingPoint finds issues with new products and their associated updates, before they are released, as well as after a patch is applied when in production. For WiFi devices and wireless networks, Ixia’s IxVeriWave solutions deliver the critical components of wireless LAN test – from lab to live networks.
So, when do medical devices and hospital networks become a health risk? When they are not fully and continuously tested to ensure they are reliable and not vulnerable to attacks.
To learn more about Ixia’s test solutions, click here.