Are Your Medical Devices Being Hacked?
Attackers are increasingly targeting medical devices; the reason—PHI. This attack is called medical device jacking or medjacking.
Targeted medical devices consist of four types:
- Consumer health monitoring (e.g., FitBits, smart watch, etc.)
- Wearable (e.g., portable insulin pumps, continuous glucose monitor, etc.)
- Embedded (e.g., pacemakers, defibrillators, etc.)
- Stationary (e.g., MRI machines, CT scanners, etc.)
Vulnerabilities have existed within many medical devices for years, but recently there have been increased attacks and awareness of these vulnerabilities. For example, the U.S. Food and Drug Administration (FDA) announced yet another medical device vulnerability, this time with a widely used infusion pump.
DANGERS OF MEDICAL DEVICES
The FDA said medical devices “can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.”
Although internally embedded medical devices like pacemakers can be hacked, most attackers are more interested in stealing large amounts of patient data. Medical data (e.g., social security numbers, insurance information, etc.) is worth 10 times more than credit card data.
Medical data is worth 10 times more than credit card data.
Not only do these vulnerabilities exist, but they will increasingly grow worse as more and more devices become interconnected. For example, stationary medical devices are often connected via Wi-Fi or Ethernet, but in some cases, they can connect to a business associate.
In general, stationary medical devices are the most at risk because within a few steps, criminals can gain access to electronic medical records (EMR) systems. The following are common stationary medical devices:
- Medical x-ray scanner
- MRI machine
- CT scanners
- Chemotherapy dispensing stations
- Dialysis machines
- LASIK surgical machines
- Homecare cardio-monitoring
- Bedside infusion pump
- Anesthesia apparatuses
- Medical ventilators
- Picture archiving and communication system
- Blood gas analyzer
HOW DO MEDICAL DEVICES GET COMPROMISED?
Medjacking attacks are designed to quickly infiltrate medical devices, establish control, and then use them as pivot points to compromise and exfiltrate data from across the healthcare organization. Once an attacker gets into the network and bypasses existing security, they can infect a medical device and establish a backdoor within the device for later access.
Why does this problem exist? It starts with manufacturing.
According to the FDA, manufacturers are responsible for “remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.”
Medical device manufacturers are supposed to take responsibility for securing their devices with appropriate security controls (e.g., user authentication, strong password protection, physical locks, card readers). They should also develop strategies for active security protection and “timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.”
Unfortunately, most manufacturers don’t take this responsibility seriously.
Some medical device manufacturers limit their cybersecurity efforts due to low budgets or time-requirements, necessitating the use of open source code for security solutions.
The problem is healthcare IT teams typically don’t have access to a medical device’s system. Users can’t install further security tools on network connected medical device systems because most security tools don’t run within the actual medical device. Also, any software applied by the entity might be considered tampering with the device and have a negative impact on FDA approval.
HOW TO PREVENT MEDJACKING
The ongoing responsibility of managing patient data throughout an organization requires an organized approach to risk management. As the guardian of patient data, it’s up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.
STEP ONE: FIX CURRENT MEDICAL DEVICES
If you have networked medical devices, prepare for the worst. You likely have HIPAA violations on your hands because these devices are potentially vulnerable to leaking patient data. If there are any known vulnerabilities, remediate your existing devices immediately. Contact medical device manufacturers to find any required updates or available patches. Add this to your policies and document everything.
Software and hardware updates take time. Plan ahead for ways to integrate all necessary fixes provided by the medical device manufacturer. Once again, make sure you document all of your manufacturers’ changes.
Make sure all medical devices have a secure password. Secure passwords should have a minimum of eight characters, and must contain numeric, alphabetic, and special characters. In practice, the more character formats used, the more difficult a password will be to guess. This also applies to attackers trying to use a brute force application to obtain a password: the longer and more complex the password, the longer it will take to discover.
STEP TWO: REVISE YOUR PROCESS
Most importantly, consider only buying from medical device vendors that value cybersecurity. Some device manufacturers favor passwords built into the system that can’t be changed. When making purchase decisions, you should be able to modify your own passwords. Vendors should also offer frequent updates on their systems and be willing to conduct quarterly reviews on their systems.
Manage physical access to medical devices, if possible. Medical devices with USB ports are particularly prone to compromise and additional procedures for these devices (such as strict rules for used USBs) are a must. For example, employees should never use USB sticks found on the ground or lying around the facility.
If devices no longer receive manufacturers’ updates, get rid of them. It’s better to be safe than risk patient data being stolen.
Remember in the disposal process to securely erase or destroy any patient data on these devices.
Limit access to PHI by segmenting devices inside your network. Protect these devices with strict firewall rules allowing access to only specific services and IP addresses. Train your employees at least annually.
One of your organization’s biggest weaknesses can be your workforce because they don’t understand their responsibility to protect PHI and medical devices. Train them about social engineering and how often individuals pose as janitors, IT, new hires, or fake nurses to access patient data.
In your social engineering training, teach employees to:
- Challenge strangers
- Verify their identification
- Never use USB thumb drives found around the premises
- Always wear an identification badge
Ensure you protect your patient’s data. You need to adequately document where PHI enters your environment, what happens once PHI enters, where it’s stored, and how it exits your organization. Then you need to implement the necessary encryption, industry best practice is to use AES-128, AES-256, or better.
STEP THREE: UNDERSTAND YOUR SECURITY STATUS
It’s difficult, if not impossible to find every weakness in your organization on your own. To take your security to the next level and to avoid weaknesses in your IT system, consider implementing additional services such as:
- Internal and external vulnerability scans—Automated testing for weaknesses inside and outside your network
- Penetration tests—Live, hands-on testing of your system’s weaknesses and vulnerabilities
- Gap analysis—Consultation on where your gaps in security and compliance exist and what steps need
to occur next
- Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS)—A monitoring system for network security appliances and report malicious activity
- File Integrity Monitoring (FIM)—A way of checking software, systems, and applications in order to warn of potential malicious activity
STEP FOUR: IMPLEMENT HIPAA COMPLIANCE
If you haven’t already, designate a HIPAA compliance officer or team member. Clearly and specifically lay out their responsibilities, as well as for anyone involved with HIPAA compliance.
Privacy and security concerns are key when it comes to HIPAA, but it’s also important to be sure your organization as a whole is protected. It’s critical to ensure all systems containing patient data is protected. Here are common places data is stored intentionally and unintentionally:
- EHR/EMR systems
- Filing cabinets
- Security appliances
- Email system
- Data warehouse
- Files shares
- Ticketing systems
- Mobile devices (i.e., smart phones, tablets)
Conduct an annual HIPAA risk analysis. A risk analysis helps you to know your vulnerabilities, threats, and risks. The HHS states, “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational.” Start by identifying your organization’s top weaknesses, and begin to resolve these issues, and then repeat the process for medium and low risks.
Set aside time either daily or weekly to work on HIPAA compliance and security. Keep HIPAA in the forefront of employees’ minds by holding regular training about PHI security practices.
IF YOUR MEDICAL DEVICES AREN’T SECURE YOUR ORGANIZATION IS NOT HIPAA COMPLIANT.
Update all medical devices with any available security patches. Work with manufacturers at least once a quarter to make sure your device is secure. If you haven’t already, start HIPAA compliance and protect your patient’s data.
Don’t let obstacles stop your progress on the security and compliance journey. Make securing medical devices a standard procedure after they get fixed. This process helps protect your organization and your patient’s data from getting hacked.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.