Security in the healthcare sector stuck in the Dark Ages

“The healthcare sector is a good 10 to 15 years behind the retail sector when it comes to security.” This is the disturbing revelation from medical device security advocate, Scott Erven as reported by Threat Post. “We can’t accept what we have now. If we assume a loss of life scenario, the consequence of failure is too high,” stated Erven, who spoke at this year’s Security Analyst Summit.

IT Pro Portal asked security experts from AlienVault and Lieberman Software whether these claims were hyperbolic or if the vulnerabilities found in medical devices could genuinely lead to human deaths.

Javvad Malik, Security Advocate at AlienVault, explains: “Whenever you’re dealing with medicine at large, the consequences can be huge. Considering even an overdose of a non-prescription drug such as Paracetamol can lead to death. The biggest challenge comes from where medical devices are remotely accessible. You can break these devices down into two parts:

1. Those devices which administer treatment or medication of some sort.
2. Those devices which doctors rely on to make decisions.

For the first type, causing a system to increase or decrease medication can have a direct impact on someone’s life.

While the second type of device may not directly impact someone, it can cause a doctor to make an incorrect diagnosis. In both scenarios there exists the potential to impact life – albeit in different ways.”

“There’s been a ton of independent research conducted from a variety of different professionals demonstrating the vulnerabilities that exist. A lot of the flaws tie back to the wider IoT issues – old systems, getting updated with Internet connectivity for the sake of convenience with little or no thought given to security. Just because you can automate a device or make it remotely accessible, doesn’t mean that you should,” continued Malik.

Jonathan Sander, VP of Product Strategy at Lieberman Software on the other hand argues that "the security vulnerabilities found in medical devices could lead to someone's death in the same way that walking on the sidewalk could lead to your death if a driver decided to mount the curb and aim for you. Most breaches and exploits happen for some reason. Bad guys infect your machine with Cryptowall in order to blackmail you, but if they kill you with a faulty medical device who would pay them. Of course, maybe someone is paying them to kill you or they are just a psychopath entertaining themselves. These are hardly likely, but not impossible.

One example of the type of flaw found in these devices is hard coded, default passwords. If you've ever had to set up a device like a wireless router in your home and had to use a password that was written in the device’s instructions, then you've encountered this. A good manual will tell you to change that default password immediately, but many do not instruct that and most people don't listen when they do. Medical devices also often come with a password that ought to be changed but isn't. That means any bad guy with the instructions for the device can do real harm quite easily if they wish."

So what do technology providers and hospitals need to do to improve security and potentially save lives? According to Sander, "no effort is without cost. Mitigating the security flaws would cost money and time many medical facilities don't think they have. The real question is if the risk is more expensive than the solution."

Malik also agreed that “security is often a tough sell. The vulnerabilities exist somewhat due to budget constraints and others due to technological constraints. For example, some medical devices are said to have weak or unchangeable passwords. Or do not include encryption or authentication controls.

Hospitals themselves need to evaluate their internal networks and how systems are connected and authenticated. This will vary in different hospitals, but creating secure trusted zones for medical devices, continually monitoring for unusual activity and other best practises are a must.”

“Secure development and system hardening should be implemented when a device is first manufactured and shipped.

But perhaps more importantly, the vendors should keep researching the latest threats as they develop and issue patches and fixes where appropriate. If these are not possible, they should at the very least be issuing advisories with recommendations of mitigating controls.

Building in manual override or recovery options to continue using machinery even if offline is a must, as is having integrity and other assurance processes and technologies in place to ensure systems are operating as designed.”