This Is the Real Threat Posed By Hacked Medical Devices at VA

sfam_photo/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Most medical device manufacturers do not have the know-how or tools to patch vulnerabilities in devices quickly.

As the departments of Defense and Veterans Affairs work to make the digital medical records that each manages for some 10 million beneficiaries compatible, they face an unassuming foe.

Medical devices in their hospitals are vulnerable to malware that could allow attackers to compromise all that patient health data.

In fact, it's more likely someone will hack a drug infusion pump to break into a connected health records system, than to give you an overdose, says VA’s top medical device security official.

While there have been harrowing demonstrations of how to manipulate a pump or pacemaker, those attacks are unlikely to play out in reality anytime soon.

The here-and-now danger is the "advanced persistent threat" that piggybacks off a vulnerability in a medical device linked to a hospital's electronic health record network, Lynette Sherrill, VA deputy director of health information security, tells Nextgov.

Because most medical device manufacturers do not have the know-how or tools to patch vulnerabilities in medical devices quickly, that "really brings about the potential for these devices to be the weakest link we have on the network ... they can become a launching point for the rest of the network if they are exploited," she said.

Many medical devices connected to VA networks are based on traditional operating systems, like Windows.

“We’ve seen everything from CT scanners to MRI machines running Windows operating systems," Sherrill said.

When a software vulnerability is discovered in your Windows computer or Apple iPhone, your machine can send an automatic update to fix the bug. Not so with medical devices running the same kinds of software.

"They don’t get the patch as soon as everything else gets the patch” on the VA networks, she said. In April, two medical device infections were successfully contained at VA facilities, according to the agency's latest data breach report to Congress.

Hospital networks hold a lot of sensitive data of value to financially-motivated cybercrooks and even nation states. Since 2015, insurance companies have discovered a hack that compromised 78.8 million records at Blue Cross Blue Shield Anthem, followed by intrusions at Premera and several other BCBS companies. The going price is about $500 for one Medicare or Medicaid record on the Dark Web.

Hospital networks also appeal to hackers who ply their trade by holding data for ransom. Earlier this year, a Hollywood, California, medical center paid $17,000 to regain access to its health records. Its systems were tainted with "ransomware,” a hacking tool that encrypts data and triggers messages demanding money in exchange for a decryption code.

The Good News: No Ransomware, Yet

While there have been no confirmed, public cases of ransomware infecting a medical device, such threats are a real risk, says Sherrill and other security experts.

"With the Internet of Medical Devices, you now have more devices that an attacker can use to gain access to a network," said Tenable Network Security strategist Cris Thomas, also known as "Space Rogue."

Typically, the worms that show up on devices are random malware that might be detected on any PC, like the Conficker virus that targets Windows.

VA pulls devices from practitioners, no matter what infection the department finds on a machine, said Sherrill, who was named an (ISC)2 U.S. Government Information Security Leadership Award finalist for running the VA Medical Device Protection Program.

“We immediately remove medical devices from patient care that we find are infected with a virus or malware,” she said. “We have had to cancel patient appointments because of having to remove a device from care … we just don’t even want to take the risk with our veterans’ care.”

Last year, the Pentagon awarded Leidos and its partners a $9 billion contract to develop its next-generation electronic health records system. By 2022, Pentagon officials expect its commercial system to be “interoperable and running” with VA and other commercial platforms.

To minimize the chances a hospital device will infect a patient records network, it is a good idea to separate medical things from the Internet of things.

The Internet of Medical Things

VA tries to isolate its medical devices from the department's networks to prevent advanced persistent threats, Sherrill said.

"We have also limited the capability of those devices to talk directly to the Internet,” she said.

But a March 15 inspector general report cast doubt on how far removed those devices are from other networks.

VA "has not implemented effective methodologies for monitoring medical devices on the general network and ensuring medical devices are segregated from the primary local area network and the Internet,” Brent Aronte, VAs deputy IG for audits and evaluations said in the report.

VA officials, at the time, said the isolation of medical devices from other systems is a work in progress.  

Sherrill on Wednesday said, “We are diligently addressing all areas of risk, eliminating material weakness and implementing a strategy for long-term success,” adding that the inspector general’s feedback helps make VA’s defenses stronger.

And, to date, there have been no data breaches involving medical devices, she noted.

Scary Press Can Be Good Press

As strange as it may seem, press reports chronicling how attackers can kill someone by manipulating a machine are welcome.

"Right now, I think the threat probabilities are fairly limited on that,” Sherrill said. At the same time, the media attention "advanced the conversation about cybersecurity threats to medical devices which is always a good thing."

For example, security researcher Billy Rios told Wired he found vulnerabilities in popular drug infusion pumps that would allow attackers to remotely alter the firmware on a drug pump, giving them the power to deliver a potentially deadly overdose without the pump issuing an alert.

A so-called man-in-the-middle attack can be especially dangerous to patient safety when someone remotely intercepts data exchanged between an insulin pump and a connected device. With a wireless connection, because "the mechanism of transfer is a radio wave signal, this signal cannot only be intercepted, but an attacker can send his or her own signal," explain Patricia Williams and Andrew J Woodward, of Australia's Edith Cowan University, in a July 2015 medical journal article. 

Each of these hypothetically-deadly hacks has been performed in a controlled environment, where there were few protections in place, unlike in a VA hospital, Sherrill said.

That said, the same vulnerabilities that would allow an attacker to control a specific pump can be used to branch out into the connected network, Thomas said.

VA expects to complete within the next year a “Medical Device Vulnerability Management Process” to more swiftly identify and fix, or replace, machines that exhibit a software bug, according to the March inspector general report.

Manufacturer Philips is one of the few medical device companies offering a bug bounty program for researchers who find vulnerabilities. The reward for notifying the company about a bug seems to be fame -- you will be given full credit on a press release explaining the patch – not necessarily fortune.

NEXT STORY: Even US Postal Service Wants to Start Using Blockchain Tech

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.