A recent report authored by TrapX details three instances where hospitals were hit by data breaches. According to DarkReading’s Kelly Jackson Higgins, the digital intrusions occurred after certain medical devices had been infected with malware backdoors.
“In all three cases, the hospitals were unaware that these devices – a blood gas analyzer, a picture archive and communications system (PACS) and an x-ray system – were infiltrated with malware,” writes Higgins.
“Ransomware, as well as Zeus, Citadel, and even Conficker, malware were discovered on the devices. While none of these real-world hacks of the medical devices appeared to be used for sabotage per se, TrapX says the malware on them indeed could be used for remote control of the devices.”
As Laconicly LLC security researcher Billy Rios points out, malware attacks on medical devices are “pretty common,” as they are often susceptible to Windows exploits.
“There have been previously reported cases where these devices have become infected by run-of-the-mill malware,” says Rios. “While this malware isn’t custom-made for medical devices, it shows that the devices are vulnerable to exploitation.”
It should be noted that Rios recently identified a number of serious vulnerabilities in several models of drug infusion pumps that could allow an attacker to surreptitiously and remotely change the amount of drugs administered to a patient.
“This is the first time we know we can change the dosage,” Rios told Wired. “If you can update the firmware on the main board, you can make the pump do whatever you like.”
As we’ve previously discussed on Rambus Press, medical equipment with processors are susceptible to the same vulnerabilities plaguing consumer and enterprise devices.
“There really isn’t any fundamental difference in addressing that, but there is a big difference in that the consequences can be life threatening,” Paul Kocher, president and chief scientist of the Rambus Cryptography Research division, recently told Semiconductor Engineering.
“What I see as a major concern is the case where devices have direct, or indirect connections to the broader network. For example, if a patient is connected to a device that talks to a system that is connected to the Internet, or the cloud, that tunnel of connectivity completely changes the risk profile.”
From an engineering perspective, adds Kocher, there are at least several avenues that can be explored to bolster medical device protection, including developing more secure operating systems, designing processors with hardware-based security options, improving detection of anomalous activity and deploying multiple processors that check their answers against one another.
Interested in learning more about the challenges of cyber security in the medical sphere? You can check out our article archive on the subject here.