As the fallout continues from the global ransomware attack that caused chaos in IT systems globally last Friday, experts warn it’s time to prioritise cyber security investment and plug well-known wormholes into medical devices.
The UK’s National Health Service was one of the worst-hit organisations in the random WannaCry malware hack, causing thousands of computers to be locked down, surgeries to be cancelled, ambulances to be diverted and healthcare workers to revert to pen and paper.
With infosec experts struggling to get their systems back online and blame being apportioned to Microsoft’s outdated operating systems, including Windows 7 and Server 2008, and the failure of users to download patches, NHS Digital conceded in a statement that medical devices contributed to the large-scale disruption.
“This may be because some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organisations will take steps to mitigate any risk, such as by isolating the device from the main network.”
Medical devices have long been known for their vulnerability to cyber attack, with unsecured ambulance defibrillators, CT scanners, insulin pumps, pacemakers and hospital servers at risk of infiltration. Discovering vulnerable devices is as easy as looking on Shodan, a search engine of connected computers that lists over 36,000 connected healthcare devices in the US alone.
Cyber expert and founder of Beyond Binary, OJ Reeves, said the Internet of Things has brought about 1990s levels of security.
“We seem to have gone back to the mid-90s as the issues that we're seeing with IoT are very similar to those we experienced years ago when desktop computers lacked the protections they have now,” he said.
Reeves said healthcare’s security challenges, combined with systems jam-packed with sensitive patient information, make it a prime target.
“[WannaCry] is a horrible indication that the industry isn't prepared to handle such issues, and shows that even keeping their systems up to date with the latest patches is proving to be difficult for them,” he said.
“So we can easily see that such systems are already behind the times and are easier targets for the bad guys given that older systems have known bugs that can be exploited.”
To gauge their vulnerability to attack, a honeypot scheme was devised by US security firm Protiviti in which 10 unsecured fake medical devices using the unsupported Windows XP were placed online. Hundreds of cyber crooks swarmed, according to a speaker at the Healthcare IT News Privacy & Security Forum in San Francisco last week.
Providing a rare glimpse of hackers in the wild, Protiviti’s director of privacy and security Adam Brand said over six months attackers swarmed, with 55,416 successful logins and 24 successful exploits. The hackers – mainly from the Netherlands, China and South Korea – also dropped 299 malware samples into the bogus gadgets. There were no signs the hackers, most of whom deployed bots, knew they were targeting medical devices.
"They just saw it as another thing they could control on the Internet and they could do what they wanted with it. They could make it participate in a denial-of-service attack, they could make it send spam, all these typical compromised venues," Brand said.
Solving the problem isn’t only a matter of patching, said Deakin University professor of cybersecurity Matthew Warren. Medical device developers share responsibility.
“Security is not considered when designing the system, security is an afterthought.”
University of Melbourne computing expert Dr Suelette Dreyfus, who suspects the number of Australian systems affected by WannaCry is likely to be higher than reported, said users of other operating systems can’t afford to be complacent.
“If you think you are immune from infections like computer viruses just because you run Linux or Macs, don't. You might not be affected by this outbreak but if you don't keep your systems up to date in these environments as well you run risks with security compromises” Dreyfus said.
“If you think 'this doesn't really apply to me', then think about the people who don't get a flu vaccine every year but are in a risk category. It's a bad strategy.”
- with Mike Miliard, Tom Sullivan and Healthcare IT News