This Is the Real Threat Posed By Hacked Medical Devices at VA

As the departments of Defense and Veterans Affairs work to make the digital medical records that each manages for some 10 million beneficiaries compatible, they face an unassuming foe.

Medical devices in their hospitals are vulnerable to malware that could allow attackers to compromise all that patient health data.

In fact, it's more likely someone will hack a drug infusion pump to break into a connected health records system, than to give you an overdose, says VA’s top medical device security official.

While there have been harrowing demonstrations of how to manipulate a pump or pacemaker, those attacks are unlikely to play out in reality anytime soon.

The here-and-now danger is the "advanced persistent threat" that piggybacks off a vulnerability in a medical device linked to a hospital's electronic health record network, Lynette Sherrill, VA deputy director of health information security, tells Nextgov.

Because most medical device manufacturers do not have the know-how or tools to patch vulnerabilities in medical devices quickly, that "really brings about the potential for these devices to be the weakest link we have on the network ... they can become a launching point for the rest of the network if they are exploited," she said.

Many medical devices connected to VA networks are based on traditional operating systems, like Windows.

“We’ve seen everything from CT scanners to MRI machines running Windows operating systems," Sherrill said.

When a software vulnerability is discovered in your Windows computer or Apple iPhone, your machine can send an automatic update to fix the bug. Not so with medical devices running the same kinds of software.

"They don’t get the patch as soon as everything else gets the patch” on the VA networks, she said. In April, two medical device infections were successfully contained at VA facilities, according to the agency's latest data breach report to Congress.

Hospital networks hold a lot of sensitive data of value to financially-motivated cybercrooks and even nation states. Since 2015, insurance companies have discovered a hack that compromised 78.8 million records at Blue Cross Blue Shield Anthem, followed by intrusions at Premera and several other BCBS companies. The going price is about $500 for one Medicare or Medicaid record on the Dark Web.

Hospital networks also appeal to hackers who ply their trade by holding data for ransom. Earlier this year, a Hollywood, California, medical center paid $17,000 to regain access to its health records. Its systems were tainted with "ransomware,” a hacking tool that encrypts data and triggers messages demanding money in exchange for a decryption code.

The Good News: No Ransomware, Yet

While there have been no confirmed, public cases of ransomware infecting a medical device, such threats are a real risk, says Sherrill and other security experts.

"With the Internet of Medical Devices, you now have more devices that an attacker can use to gain access to a network," said Tenable Network Security strategist Cris Thomas, also known as "Space Rogue."

Typically, the worms that show up on devices are random malware that might be detected on any PC, like the Conficker virus that targets Windows.

VA pulls devices from practitioners, no matter what infection the department finds on a machine, said Sherrill, who was named an (ISC)2 U.S. Government Information Security Leadership Award finalist for running the VA Medical Device Protection Program.

“We immediately remove medical devices from patient care that we find are infected with a virus or malware,” she said. “We have had to cancel patient appointments because of having to remove a device from care … we just don’t even want to take the risk with our veterans’ care.”

Last year, the Pentagon awarded Leidos and its partners a $9 billion contract to develop its next-generation electronic health records system. By 2022, Pentagon officials expect its commercial system to be “interoperable and running” with VA and other commercial platforms.

To minimize the chances a hospital device will infect a patient records network, it is a good idea to separate medical things from the Internet of things.

The Internet of Medical Things

VA tries to isolate its medical devices from the department's networks to prevent advanced persistent threats, Sherrill said.

"We have also limited the capability of those devices to talk directly to the Internet,” she said.

But a March 15 inspector general report cast doubt on how far removed those devices are from other networks.

VA "has not implemented effective methodologies for monitoring medical devices on the general network and ensuring medical devices are segregated from the primary local area network and the Internet,” Brent Aronte, VAs deputy IG for audits and evaluations said in the report.

VA officials, at the time, said the isolation of medical devices from other systems is a work in progress.  

Sherrill on Wednesday said, “We are diligently addressing all areas of risk, eliminating material weakness and implementing a strategy for long-term success,” adding that the inspector general’s feedback helps make VA’s defenses stronger.

And, to date, there have been no data breaches involving medical devices, she noted.

Scary Press Can Be Good Press

As strange as it may seem, press reports chronicling how attackers can kill someone by manipulating a machine are welcome.

"Right now, I think the threat probabilities are fairly limited on that,” Sherrill said. At the same time, the media attention "advanced the conversation about cybersecurity threats to medical devices which is always a good thing."

For example, security researcher Billy Rios told Wired he found vulnerabilities in popular drug infusion pumps that would allow attackers to remotely alter the firmware on a drug pump, giving them the power to deliver a potentially deadly overdose without the pump issuing an alert.

A so-called man-in-the-middle attack can be especially dangerous to patient safety when someone remotely intercepts data exchanged between an insulin pump and a connected device. With a wireless connection, because "the mechanism of transfer is a radio wave signal, this signal cannot only be intercepted, but an attacker can send his or her own signal," explain Patricia Williams and Andrew J Woodward, of Australia's Edith Cowan University, in a July 2015 medical journal article. 

Each of these hypothetically-deadly hacks has been performed in a controlled environment, where there were few protections in place, unlike in a VA hospital, Sherrill said.

That said, the same vulnerabilities that would allow an attacker to control a specific pump can be used to branch out into the connected network, Thomas said.

VA expects to complete within the next year a “Medical Device Vulnerability Management Process” to more swiftly identify and fix, or replace, machines that exhibit a software bug, according to the March inspector general report.

Manufacturer Philips is one of the few medical device companies offering a bug bounty program for researchers who find vulnerabilities. The reward for notifying the company about a bug seems to be fame -- you will be given full credit on a press release explaining the patch – not necessarily fortune.