February 04, 2020//Tony HowlettLast Updated: November 19, 2020
With the number of high profile breaches and hacks on medical facilities and the increasing “cyberization” of healthcare in general, this question has been on many security professionals’ minds for the last few years: Are medical devices safe from hackers? In fact, the FDA recently informed healthcare providers, facilities, and patients about potential cybersecurity vulnerabilities for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.
We now have heart defibrillators that are network-enabled and personal insulin pumps talking to apps on our phones. In short, cyber threats to medical technology has never been greater. And, since people’s lives depend on this technology, securing medical devices should always be considered to be more vital than securing standard corporate systems. If a server or network goes down in the corporate world, workers or websites are offline and profits are lost. However, a successful attack on medical devices could be fatal to humans, which are far more important than the machines we use to do our work.
Eventually, hackers and bad actors will turn their attention to these “weakest links” if stronger controls are not put in place both by the manufacturer and the end-user institutions. And then we will have a real medical device security crisis on our hands.
So securing medical devices properly is of crucial importance. However, before this goal can be completely achieved, there are several challenges to overcome.
Many medical devices are considered to be IoT-type devices since they tend to have embedded or proprietary operating systems. Though these devices work well, the operating systems aren’t typically well understood by in-house IT departments and, sometimes, even by the device manufacturer themselves. Along with that, protections (such as anti-virus and monitoring tools) often won’t run on them. And many times, access and authentication protocols are minimal to non-existent. And to make matters worse, backdoors and manufacturer default passwords are still common.
To add to the issues, vendors are often behind on patching devices for known vulnerabilities. This is because of the need to avoid downtime, accessibility issues (see below), and the FDA’s tight control over approval of any changes to hardware covered under their regulations. This means that some providers must obtain FDA approvals before updating their machines, which can greatly delay updates, sometimes by years.
In short, all of this adds up to most medical devices being trivial to hack once network access is gained.
Speaking of network access, many medical devices in hospitals and clinics are now connected to IP networks, both for interconnectivity with other hospital systems and third-party access for the vendors. Most of these networks are firewalled and segregated from public networks, but few are truly isolated or “air-gapped” from the internet. This means that if an attacker can gain access to internal hospital networks, they can often jump over the minimal defenses to access the devices directly.
And there’s little in the way of network defense or intrusion detection systems designed for these devices, either on the devices or network resident. So often network protections and segregations prove inadequate, exposing the devices to direct attack.
As mentioned earlier, medical devices must often be made internet accessible in order for the vendor to provide support or do maintenance remotely. And unfortunately, traditional remote access methods, such as VPNs or screen sharing, are either incompatible or lack significant security controls. Specific monitoring and auditing of such access are often minimal to none. Fortunately, new technologies such as Vendor Privileged Access Management (VPAM) can provide strong access controls and granular audit and monitoring capabilities. But even if vendor access controls are strong on one device, another vendor’s weak controls can allow a hacker to pivot and attack other devices on the network. Therefore, any vendor access solution should be integrated so all vendors are managed on a single platform to avoid any gaps in your medical device defenses.
So the answer to the title question is (are medical devices safe from hackers?), right now, is “not very”. We’ve been, so far, lucky that no major threat actor has targeted them since they are content for now to target general-purpose desktops and servers with their ransomware and malware attacks. However, eventually, hackers and bad actors will turn their attention to these “weakest links” if stronger controls are not put in place both by the manufacturer and the end-user institutions. And then we will have a real medical device security crisis on our hands.