This article is available in audio format, click play above to listen to the article.
Cyber attacks, data breaches and ransomware attacks have become increasingly common. Notable incidents include the 2021 attack on Ireland's Health Service Executive, which disrupted healthcare services across the country; the December 2022 ransomware attack on Hospital for Sick Kids, Toronto, Canada and the February 2024 Change Healthcare cyberattack, disrupting prescription orders across America.
The critical nature of healthcare services means that hospitals are more likely to pay ransoms to restore their systems and avoid disruption in patient care, making them lucrative targets for attack. Compounding this, many hospitals operate with outdated software and insufficient cybersecurity measures, and this at a time of increased reliance on digital systems for patient records, diagnostic tools, and administrative functions. COVID-19 exacerbated the issue, as hospitals became even more dependent on digital infrastructure to manage the surge in patients and vaccine distribution, creating more vulnerabilities for cybercriminals to exploit.
The idea of threat actors accessing patient data via the dark web is bad enough but imagine internet basement-dwellers accessing your elderly relative’s pace-maker as a means of extracting a ransom, that’s a truly dystopian nightmare, but is it a legitimate concern?
Operational Technology Vulnerabilities in Hospitals
The tech that controls medical devices such as pacemakers is part of a grouping known as Operational Technology (OT). It is the hardware and software that monitors and controls industrial equipment and processes. OT is everywhere in our modern environment, from pacemakers and hospital IV pumps to the control network for the national grid. Legacy devices and systems and the increasingly interconnected nature of the way we work creates OT vulnerabilities, particularly in hospital settings.
Earlier this year, an American radiology company was found to be liable for failure to remediate a vulnerability on OT hardware that was ‘end-of-life’, in this case, an infusion pump that had not been patched. The company had been unable to install a firmware patch and a planned upgrade project (which would have allowed patching) had been delayed due to resource constraints. The company could not fix the problem and the hospital did not possess the necessary contract levers with the company to compel them to.
Exploiting the vulnerability, a threat actor gained access to the hospital VPN and went on to access more than 100 additional credentials through SQL injection. These were then used to exfiltrate data from almost 200,000 patients, including names, dates of birth, health insurance identification and even driver’s license and social security numbers. The hospital blamed the radiology company and a US Court found them liable.
Potential For Medical Device Hacking
Medical device manufacturers typically do not upgrade their software. Older devices retain pre-shared keys. In a typical large hospital setting there may be hundreds or even thousands of pieces of medical equipment, many portable and not regularly or automatically patched. Even when subject to periodic testing and calibration, it is not always routine to patch the software on medical devices and once certified, OT medical devices like infusion pumps are not required to be updated. Some medical systems are still running on Windows 7, and have not been able to be patched since 2013.
Even with recent improvements in government legislation and health care attentiveness to cyber security, end-of-life or unpatched medical devices may exist, creating a cyber vulnerability that is not known and not tracked on any risk register.
The enterprise technology landscape in health care is highly complex, creating blind spots. Reliance on multiple providers where there is shared responsibility - internet service providers (ISPs), cloud providers, software-as-a-service (SaaS) providers, OT device providers — can mean that there are areas of the landscape where there has been limited visibility and control. Today’s operations, medical and IT professionals must contend with this massive, complicated patchwork of technology and stakeholders while trying to meet the rapidly changing expectations of patients and staff. At the same time, they must embrace increasingly complex architectures while remaining adaptable, resilient, and agile.
So What Should Hospitals do to Appropriately Identify and Mitigate these Types of threats?
New legislation is helpful. In America, FDA certification for medical devices after 2023 includes liability for software within the device where there is no automatic patching. Cyber security certification (ISO27001, Cyber Essentials +) can also assist in surfacing some of the previously unknown OT risks in medical settings, so that risks can be quantified, mitigated and governed appropriately.
From a governance perspective, it is necessary for the risk committee and board to ask what the processes and procedures are for equipment maintenance, security patching, end-of-life retirement and disposal and what contractual agreements are in place where equipment is leased. At times of regular equipment testing and calibration we should also seek to upgrade, patch and reset software, so that OT vulnerabilities don’t ‘sneak in’. The challenge is being able to manage all technology from ‘cradle to grave’ across operations, IT and governance.
While hospitals may be segmented, the segmentation is more likely to be along the lines of functional or organisational silos where the OT devices team is in a different team than IT. The operations and IT teams need to work cohesively, to invest in improved cybersecurity measures, such as better encryption, regular system updates, and staff training and to collaborate across hospitals, cybersecurity firms, and government agencies to share information and resources to better combat threats.
The combined teams need to assure that policies and procedures are in place to manage technology ‘end-to-end’, including insuring that end-of-life devices are appropriately wiped of data at time of decommissioning. A medical device acquired second hand has the potential of retaining previously shared keys, triangulating the device keys back to the originating institution is easy when asset stickers remain in place.
In a previous article I wrote for Cyber Security Tribe, I talked about changing culture and behaviour in cyber security and the idea of ‘nudging’ people to do the right thing. The idea was, that if people understand the risks, they will be willing to take measures to mitigate those risks. Understanding and quantifying the risks associated with an evermore interconnected and complex OT and IT landscape is a step on the journey to medical device hacking prevention.
Governments have also started to take more proactive steps. For instance, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued multiple warnings and guidance documents specifically aimed at protecting healthcare institutions.
While the horrifying idea of a hacker taking control of a pacemaker or IV pump might be realistically possible, when we understand some of the particular vectors of attack and close those loopholes, in OT and IT, we might be able to sleep slightly better at night.
