They entered the hospital and moved from floor to floor, dropping malware-laced USB thumb drives where staffers might tend to pick them up.
Before they entered the facility, the security researchers at Independent Security Evaluators had disguised the drives, labeling them with the hospital’s logo.
Within 24 hours, infection spread as hospital employees used the bobbytrapped drives at nursing stations that obediently called in to request malware from the researchers’ server.
In this case, the infection was benign: an emulation of malware that can download and install itself off a USB stick, take control of the targeted system, and grant control to a remote adversary.
If it had been a malicious attack, an attacker could have used that network foothold to attack critical medicine dispensary equipment, potentially leading to a patient being given the wrong medicine.
The dangers of people plugging in rigged USB sticks is nothing new. But it was only one of a dizzying array of attacks the team launched in a two-year project aimed at dissecting hospital security.
The researchers have documented their findings in a paper titled Securing Hospitals.
The team, led by healthcare head Geoff Gentry, examined 12 healthcare facilities, two healthcare data centers, a pair of live medical devices, and a couple of web apps open to remote attacks.
Safety was paramount, the team stressed: All of the attacks were carried out with the permission and supervision of authorized hospital personnel, performed on non-critical systems or on decommissioned or non-connected medical devices.
Also, in most cases, all but the final step that involved manipulation of an actual medical device, medicine dispensary, or health record was performed online, with the final step taken offline to ensure there was no accidental injury or harm caused to a patient.
One of the attacks, against a medical device, started with targeting an externally facing web server at one of the hospitals.
By exploiting server vulnerabilities, the researchers gained control of the web server, thereby getting a foothold into the internal network, from which they ran scans until they found vulnerable patient monitors.
Using an authentication bypass attack, they forced the monitor to emit false alarms, had it display the wrong vital signs, and disabled the monitor’s alarm altogether: tampering that could potentially lead to a patient’s death or serious injury.
The same methods could be deployed against all medical devices, the team said in the paper:
This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury [to] patients.
The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.
As far as the team knows, to date, there’s been no comprehensive attack model that shows how patients are most likely to be targeted in a cyber attack.
If you flip to page 28 of their report, you’ll see the model the researchers came up with after two years of attacks.
The so-called Patient Health Attack Model visualizes the primary attack surfaces as those that directly affect a patient’s health. For example, active medical devices that can be hacked to deliver a lethal dose of medicine, such as an insulin pump, or a heart defibrillator that could be modified or disabled so it can’t deliver electrical current to save a patient in distress.
There are far more primary attack surfaces, as Independent Security Evaluators enumerated, including:
- Medical records. Removing somebody’s allergy to penicillin, for example, could injure them if a doctor administers the antibiotic.
- Work orders. For example, altering an instruction to deliver morphine to Patient A instead of Patient B could have catastrophic consequences.
- Medicine. Hospitals are vulnerable to malicious actors losing or destroying medicine, altering inventory so a healthcare worker administers the wrong medication, or sending the wrong medicine to the wrong patient.
- Surgery. Orders are vulnerable to being altered, which could result, for example, in the wrong leg being amputated or organs being removed from the wrong patient. Surgery schedules can be altered. Medical records can be changed so that the wrong blood type is transfused into a patient, X-rays are switched, or an anesthesiologist gets the wrong weight, height or age for a patient.
- Blood, organs and other biological material. Attack surfaces include the climate control systems necessary for storage of these crucial materials.
The list goes on: an attack could disable lighting in the surgery room. Or an attacker might set off a fire alarm or sprinklers, disrupting the calm, controlled environment necessary for optimal surgical precision. Clinicians could be misinformed by compromised monitoring devices or distracted by false alarms triggered in the building.
With regards to electronic health records (EHR), one platform proved vulnerable to a variety of cross-site scripting (XSS) attacks: attacks that are so well-known, and common, that they’re found on the OWASP top 10 list of web application vulnerabilities.
The readily exploitable XSS attacks the team identified allowed for the modification of administrator settings, the addition of users, and the direct manipulation of patient records.
They also found it possible to deliver a payload that, when executed by a nonprivileged nurse or physician account, would escalate their privileges to that of an administrator account.
The researchers called lack of funding arguably the most detrimental issue with hospital security. It’s not that the money’s not there; it’s that cyber security isn’t taken seriously enough, they said:
The issues aren’t so much that hospitals do not have the funds, but that they are directed in a way that security is not a priority. This needs to change in order to protect patient health.
Other issues include wasting funds on low-priority security items; security understaffing and lack of training; lack of defined, implemented, and/or auditable policy; and reliance on legacy systems, among many, many other areas of concern.
From the paper:
The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance.
[It] illustrates our greatest fear: patient health remains extremely vulnerable.
One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.
Researcher Ted Harrington summed it up for The Register:
We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more.
These vulnerabilities are a result of systemic business failures.
The paper includes advice on remediating the vulnerabilities the team uncovered.