Lock the backdoor: connected medical devices creating cybersecurity risks.
Security experts billed 2015 as the ‘year of the healthcare hack’, with increasing numbers of medical and pharmaceutical systems being attacked by cyber criminals targeting valuable personal data. While cybersecurity is commonly associated with software attacks, the healthcare sector is finding that the hardware it’s employing to improve patient care is creating backdoors for the criminal element. Neil Oliver, technical marketing manager of Accutronics, takes a look at the vital role hardware encoding plays in the battle to secure medical devices.
A 2014 report by Bitsight, entitled ‘Will healthcare be the next retail?’, found that healthcare and pharmaceutical companies have the worst cybersecurity record among the Standard & Poor’s 500 and are at risk of high scale breaches such as those seen at Target and Neiman Marcus Technologies. Cybercrime poses a massive threat to these sectors where there is such a large volume of personal and privileged information. In pharmaceuticals alone, intellectual property theft is supporting a growing counterfeit pharmaceutical market and stolen information can allow people to purchase drugs for resale that can normally only be bought by licensed physicians.
Cyber criminals tend to fall into three core groups; those who are in it to make money by either selling data or blackmailing companies for its return, people in it for the fame, or those who are in it for political reasons, so called hacktivists who are protesting for a cause. Whatever the motivations, the cost of cybercrime is growing.
Weighing the cost
A report by OCISIA, in collaboration with BAE Systems Detica, indicates that cybercrime is costing the UK economy around £27bn annually. The report found that the pharmaceutical and biotech sectors are being hardest hit, with £9.2bn being lost through intellectual property theft, £7.6bn to industrial espionage and £2.2bn lost due to extortion. These figures don’t take into account the costs associated with the loss of intellectual property, such as counterfeit drugs, the legal ramifications of resulting customer lawsuits, or the loss of productivity caused by crimeware infections and subsequent downtime.
Across the medical sector the amount of digitally stored data is growing year-on-year, and while pharmaceutical companies, healthcare facilities and original equipment manufacturers (OEMs) have to constantly work at keeping hackers out, a hacker only has to be successful once to cause serious damage. For instance, at the end of 2014, the number two US health insurer, Anthem Inc, disclosed a massive breach of its database containing nearly 80 million records.
It’s hard enough keeping the criminal element out of any system, but when digital medical equipment is added into the mix you’re adding another layer of vulnerability.
Leaving the back door open
Medical equipment has taken an evolutionary leap in recent years to take advantage of the developments of the digital age. Devices are no longer chained to hospital beds; they can move around a facility, follow a patient home, or even be implanted in a person. Developing equipment to include computer chips, software, wireless technology, and Internet connectivity creates a portal for those wishing to cause trouble.
With the rise of the Internet of Things (IoT) and like any computer network, medical devices are ‘connected’, and not just to the Internet. They are often connected right into a healthcare provider’s network, establishing a pathway to data that seems otherwise protected.
At the tail end of 2014 the US Department of Homeland Security launched an investigation into numerous cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials feared could be exploited by hackers. Equipment under review included things like infusion pumps and implantable heart devices, the kinds of devices that leave patients at risk of harm if compromised.
Medical devices are a stepping stone to access healthcare networks, and a recent report by TrapX revealed three stand-out cases where hospitals were hit by data breaches after medical equipment was infected with malware backdoors, with the malware subsequently moving laterally to infect other areas of the network. TrapX found ransomware, as well as programmes like Zeus, Citadel and Conficker on devices that the hospitals had no idea was present.
To highlight even more the target sign of healthcare, 2015’s hacker conference DerbyCon flagged up the severity of the situation. It was revealed that there had been 68,000 attempts at hacking critical medical devices, such as MRI scanners, over a six-month period. Fortunately, in this instance these were fake devices, “honeypots” set up to lure in malicious hackers. This goes to show the importance of addressing cyber security flaws, particularly in devices that leave patients at risk of harm if compromised.
Time to improve
In the fight to close the backdoor, every measure must be taken to secure the hardware itself. The US Food and Drug Administration (FDA) has pushed for improved cyber security when it issued guidelines aimed at helping medical device manufacturers manage cyber security risks as well as, “maintain medical device functionality and safety”.
Research by the FDA has also shown that, “as patients move to the use of home health care services for recuperation or long-term care, the medical devices necessary for their care have followed them. In 2004, the National Association for Home Care & Hospice reported that more than 7 million people in the United States receive home health care annually.”
However, the medical devices designed for use in hospitals by trained professionals were never intended for use by patients in the home. As a result, many patients, especially those who do not have the regular assistance of a dedicated home healthcare professional, struggle to operate, understand, maintain and troubleshoot devices. This has spurred third-party manufacturers to cater for patients looking to fill the void with pseudo-medical devices that feature familiar ergonomics and heuristics.
To support these goals and ensure cybersecurity, even the battery technology used in such equipment needs to be taken into consideration.
A lack of hardware based encryption is causing widespread concern about medical equipment and about the reliability of batteries used in such equipment. Portable medical devices have to be designed to operate without mains electricity/AC power, and so the use of reliable and safe backup-power management systems is a necessity. Devices such as acute ventilators, portable anaesthesia workstations and digital radiography panels all need continuous and safe power to protect patient health.
Battery counterfeiting is a problem faced by the medical industry on a scale never before witnessed in the sector. The ready availability of grey market, untested copycat batteries, possibly using inferior components, means that many life-critical devices used in our hospitals and medical establishments may be unreliable or unsafe to use.
Accutronics has worked hard to tackle this problem, developing a new CMX series of smart batteries and chargers. The new range incorporates some innovative features, including SHA-1 hardware encryption.
SHA-1, which stands for secure hash algorithm, is a cryptographic hash function designed by the United States National Security Agency (NSA). The algorithm is flashed onto the smart battery’s fuel gauge before being sealed in during production. At the same time a software update is made on the host medical device. Upon insertion, the battery is challenged to complete a calculation within 100ms, if it matches with the one performed by the host device, it’s genuine, otherwise it’s fake and can be rejected for non life-critical applications.
Locking the door
It’s time to lock the gate behind us and shut cyber criminals out of medical devices by building cybersecurity and encryption into the equipment. Doing this means thinking of every part of the machine, even something as seemingly insignificant as the battery. Building encryption into the hardware itself will provide the first line of defence against those who would use medical devices to cause trouble, reducing the threat to life and reducing the potentially massive costs of leaving the backdoor unguarded.