SHIoT HAPPENS: CT Scanner Patient Zero for WannaCry?

The convergence of technology and healthcare is amazing, but it also exposes us to a new kind of risk. Connected medical devices streamline patient care, enhances the capabilities of medical professionals, and—in some cases—it even saves lives. Devices like pacemakers and insulin pumps allow people with serious medical conditions to go about their daily lives. Unfortunately, these connected medical devices are easy to hack and could pose a significant risk to medical facilities and patients. This shifts the concern from hackers simply trying to extract healthcare records and patient data to gaining control over medical devices that threaten the safety of the patient.

Are Your Clinicians and Medical Devices Prepared for Cyberthreats? Find out!

• Read our IoT Security for Healthcare whitepaper to find out.

Any device connected to a network is vulnerable to attack. Even if a device isn’t connected to the public Internet or part of an internal network, an innovative attacker can find a way to hack it. Although some scenarios seem like something from a Mission Impossible movie, it is dangerous to dismiss the risks to connected medical devices.

The CT Scanner is ‘Patient Zero’ for Ransomware

When the WannaCry ransomware attack hit, it infected and spread through a wide variety of connected devices—including healthcare equipment. In January of this year, researchers from Israel’s Ben Gurion University published details on how a CT scanner could be hacked and allow an attacker to increase the radiation dosage. The results of such an attack could severely injure—or possibly kill—a patient.

Unfortunately, these attacks are not theoretical. Also in January 2018, Cyberscoop reported an Indiana hospital had to shut down systems after a ransomware attack. Forbes also reported on an infected Bayer Medrad device in a U.S. hospital. For security reasons, specific details were withheld, but it was reported to be radiology equipment designed to help improve imaging.

Risk of Connected Medical Devices

There are three fundamental issues with connected medical devices that put them at increased risk for attack: they lack basic security controls, they often rely on new and unmanaged network protocols, and they frequently use vulnerable operating systems.

Unmanaged and IoT devices, in general, are inherently insecure. They are designed for simple connectivity and efficient communication, so security is often an afterthought. In fact, many connected medical devices are built on outdated, unsupported operating systems like Windows 2000 and Windows XP. Others simply do not provide any means of installing an agent or other security controls.

Many unmanaged or IoT devices are designed to communicate wirelessly using weak or emerging wireless technologies like Wi-Fi and Bluetooth, and connected medical devices are no different. These wireless protocols are often outside of the scope of traditional device and network security management tools, which leaves them exposed and unmonitored.

Things have improved some, but a 2014 report from Wired found that healthcare technology is insanely easy to hack. In one study spanning two years, researchers found

• Drug infusion pumps that deliver morphine drips, chemotherapy, and antibiotics can be manipulated remotely to change dosages doled out to patients
• Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or to prevent a medically needed shock from occurring
• X-rays that can be accessed by outsiders lurking on a hospital’s network
• Temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage
• Digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.

Securing and Protecting Connected Medical Devices

The issue of IoT security is getting more attention, and the vendors that manufacture connected devices have made improvements to help make them more secure. When it comes to connected medical devices, the FDA has also weighed in—issuing guidance on cybersecurity for medical devices.

The progress is promising, but it is not enough and it will take years—possibly decades—before legacy medical devices are phased out by attrition. Traditional security tools and practices are not equipped to protect devices in an IoT world, so organizations need to adopt a different approach to secure and protect connected medical devices.

The bottom line – The risk is real and rapidly growing for connected medical devices. As more of these devices become Internet-connected, the risk that they can be hacked by outside parties and could cause potential harm to patients increases. Effective protection requires comprehensive visibility, and the capability to effectively and accurately inventory, assess, and monitor all devices on the network—especially legacy and unmanaged devices that simultaneously pose the greatest risk and offer the least security.

For more information, download the IoT Security for Healthcare White Paper that discusses these issues in more depth.