ZDNET reports on critical medical equipment, such as CT and MRI machines, being targets of cyber attacks:
Now, researchers from Ben-Gurion University in Beersheba, Israel, have issued a new report warning medical professionals that this issue is not being taken as seriously as it should — especially as vulnerable devices can place patient health, and potentially lives at risk.
The report (.PDF), published earlier this month, explores how Medical Imaging Devices (MIDs), such as Magnetic Resonance Imaging (MRI) or Computed Tomography (CT) systems are becoming increasingly vulnerable to cyberattacks.
These devices are commonly connected to hospital networks, and with this connectivity, an avenue is carved for cyberattackers to exploit vulnerabilities in outdated firmware.
Vulnerable MIDs may result in attacks which “target the devices’ infrastructure and components, which can disrupt digital patient records, and potentially jeopardize patients’ health,” according to the researchers.
The team believes that attacks on MIDs are going to increase as vulnerabilities are uncovered in more and more medical devices, and as we’ve already seen, attackers have no qualms when it comes to targeting hospitals.
Essentially, if a device is connected to the network, it is ripe for exploitation by tenacious attackers. The medical industry does not update firmware on its equipment as often as some other industries, and this could lead to potentially unpatched security vulnerabilities used as a vector for breaching hospital networks and more.
Fortunately, the FDA noted that neither it nor Hospira are currently aware of any patient adverse events or unauthorized access of one of these systems in a health care setting. Hospira posted a statement about “Infusion Device Cybersecurity” on its own website, which can be found here, in which it stated that “there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting.” Hospira also remarked that in order to exploit the cybersecurity vulnerabilities, a hacker would also have to penetrate “several layers of network security enforced by the hospital information system, including secure firewalls.” In other words, the hospital also has responsibility for providing cybersecurity.
Both the FDA and ICS-CERT stated that the manufacturer has already retired the product, due to unrelated issues. Nonetheless, the FDA urged hospitals to transition to other infusion systems as soon as possible: “we strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps”. In addition, although the particular product is in limited use in North America, the FDA is wary of the secondary market for pre-owned medical devices. Accordingly, the FDA “strongly discourages the purchase of the Symbiq Infusion System” from resellers.
The hack would allow someone to remotely administer a fatal drug dose to patients.
Although the video demonstration, conducted at the Blackberry Security Summit in New York, doesn’t identify the model and brand of the pump being attack, security researcher Billy Rios says it’s the Lifecare PCA drug infusion pump made by Hospira, an Illinois-based firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
Rios knows this because the demonstration is using vulnerabilities he uncovered in several models of drug infusion pumps made by Hospira—the PCA, PCA3, PCA5, Symbiq, Plum A+, and the Plum A+3.
Last week, California’s State Assembly considered the bill, which had already been green-lit by the state senate, ultimately voting to approve it 46-30. This week, the senate approved the amendments that were added to the bill before passing it to the desk of Democratic Governor Jerry Brown, who signed the bill this morning.
“The science is clear that vaccines dramatically protect children against a number of infectious and dangerous diseases,” the governor wrote in a memo about his decision. “While it’s true that no medical intervention is without risk, the evidence shows that immunization powerfully benefits and protects the community.”
It’s essential to have a critical mass of people immunized if we want to achieve herd immunity, which protects those who can’t be vaccinated, like the 12 babies who contracted measles in California during an outbreak last year because they were too young to be vaccinated.
Failure to get vaccinated is a public health issue and puts the lives of every other person in danger. Sadly, America has far too many people who embrace non-science and the impact of such a belief system is going to hinder its future growth.
In March of this year, the Identity Theft Resource Center (ITRC) tagged healthcare as the source of 33-percent of all listed incidents nationwide, noting that nearly 100 million healthcare records were compromised in the U.S. alone in Q1 2015.
And yet, within a given healthcare environment, most devices can’t leverage traditional security solutions.
A hospital, for example, can’t install their local security suites or various offerings on these devices, as they’re managed by the manufacturer or contracted party. Because of this, TrapX says in their report, problem resolution was delayed in at least one case due to the fact that the hospital’s IT staff couldn’t access the equipment.
“It could take weeks to handle these security incidents because of both scheduling and access to the manufacturer’s resources. Once the malware was removed, we found the medical devices could be re-infected fairly quickly,” the report explains.
Attackers will always use crafty, inventive techniques to get inside a network. How well protected is your network from these unique vectors?
CareFirst BlueCross BlueShield was the victim of a cyberattack that compromised information on about 1.1 million current and former customers, the health insurer that covers residents of D.C., Maryland and Virginia announced Monday.
Several major health insurers have disclosed significant breaches this year, including Anthem, the nation’s second largest health insurers, which revealed that data on nearly 80 million customers was compromised.
The CareFirst attack occurred in June 2014, according to a Web site set up by the insurer. The company said its cyber-security team thought it had fended off the attack at the time, but a recent review discovered that the attackers had gained access to the usernames that customers created on its Web site as well as their real names, birth dates, e-mail addresses and subscriber identification numbers.
The company said it first learned that data on customers was accessed nearly a month ago, on April 21, during the course of a review of its systems by cybersecurity firm Mandiant. CareFirst said it did not disclose the discovery until now so it could complete its investigation of the incident.
The medical industry is increasingly becoming a major target for cyber attacks.