Computer world | Darlene Storm
When it comes to security, one of the scariest things out there sounds like
science fiction and pertains to hacking implantable
medical devices. Pacemakers and insulin pumps
do help save lives, but they are vulnerable to lethal
attacks; there are continued warnings that exploiting
these medical devices will eventually cost someone their life. Here’s a
slightly different take on the scenario; you’ve heard of drive-by-downloads that can infect a machine with malware without the user agreeing to the
automatic download, but how about serving up malware in software updates for
medical devices such as ventilators?
The global medical technology corporation CareFusion specializes in “reducing medication errors and helping prevent health care-associated
infections.” It makes IV pumps, ventilators, respiratory products, automated
dispensing of medicine, patient identification systems, has infection
surveillance services and more. The company website states, “At CareFusion, we are united in our vision to improve the safety and
lower the cost of healthcare for generations to come.” Granted that IT staffs
are always overworked and understaffed, but it seems less like “care” and more
like negligence to run its website on six year old versions of Windows
software.
Viasyshealthcare.com belongs to CareFusion, so imagine going there to
update a lifesaving piece of medical equipment like a respirator, specifically
"AVEA Ventilator software update." Instead, however, you discover the
healthcare site is sick with malware and serving up infections in medical
software updates. This was so frustrating to the Medical Device Security
Center that University of
Massachusetts Amherst professor Kevin Fu wrote,
“Health care professionals might as well stop their washing hands
while they're at it.” He added, “The risks should be obvious. This is an
update for a medical device, and yet one must download it in a manner as
if software sepsis is no big deal.”
Google Safe Browsing for
viasyshealthcare.com reported, “Of the
354 pages we tested on the site over the past 90 days, 20 page(s) resulted in
malicious software being downloaded and installed without user consent. The
last time Google visited this site was on 2012-06-17, and the last time
suspicious content was found on this site was on 2012-06-13. Malicious software
includes 48 trojan(s), 3 scripting exploit(s).”
\
Threatpost reported that DHS is investigating and “an analysis by the Department of Homeland
Security found that some of CareFusion's Web sites were relying on six year old
versions of ASP.NET and Microsoft Internet Information Services (IIS) version
6.0, which was released with Windows Server 2003. Both platforms are highly
susceptible to compromise.” DHS “may refer it to its ICS-CERT division, which
focuses on threats to critical infrastructure.”
Why would Homeland Security be involved? In April, the feds were pressed to
protect wireless medical devices from hackers. By May, Public Intelligence
posted the “DHS Wireless Medical Devices/Healthcare
Cyberattacks Report.” Just because we can hook all these medical devices to the
Internet, does not make it any wiser than connecting other critical
and vulnerable infrastructure to the web so it might
be hacked. DHS said most medical devices were “not designed to be accessed
remotely” yet “the flexibility and scalability of wireless networking makes
wireless access a convenient option.” According the report [PDF]:
Because the technology is so new, there may not be an authoritative
understanding of how to properly secure it, leaving open the possibilities for
exploitation through zero-day vulnerabilities or insecure deployment
configurations. In addition, new or robust features, such as custom
applications, may also mean an increased amount of third party code development
which may create vulnerabilities, if not evaluated properly.
…
Implantable Medical Devices (IMD): Some medical computing devices are
designed to be implanted within the body to collect, store, analyze and then
act on large amounts of information. These IMDs have incorporated network
communications capabilities to increase their usefulness. Legacy implanted
medical devices still in use today were manufactured when security was not yet
a priority. Some of these devices have older proprietary operating systems that
are not vulnerable to common malware and so are not supported by newer
antivirus software. However, many are vulnerable to cyberattacks by a malicious
actor who can take advantage of routine software update capabilities to gain
access and, thereafter, manipulate the implant.
Well now . . . while taking advantage of a routine software update in the
case of CareFusion may not have led to a lethal cyberattack, could it have
opened the way to some equally insidious attack that infects hospitals or open
a backdoor to medical devices that are supposed to help save lives? Scrubs and Suits said, “Many IT security experts are concerned that patient care could be
compromised by terrorists who want to cause destruction and fear, or even by a
particularly aggressive viral infection.” Then the article pointed out that “in
July of 2010, Kern Medical Center, a 172-bed hospital in California, was
infected by a virus that was so aggressive that it actually shut down the
hospital’s EHR system for about two weeks.”
During the Slashdot discussion of CareFusion serving up malware in medical
device software updates, an Anonymous Coward wrote, “Hospitals have LARGE amounts of devices that are internet enabled like
$300,000 cat scan machines that PDF and email documents and are managed only
via IE 6....They almost always use very obsolete platforms with 256 megs of
ram, IE 6, etc. The budget analysts folks are under heavy pressure to cut costs
and IT is always the cost center at the end of day.”
It’s time for IT to be a priority when it comes to securing healthcare, not
dead last on the totem pole, and running totally exploitable systems that allow
ventilator software updates to be tainted with malware. Let’s not wait to make
security a priority for implantable medical devices either; let’s not wait
until after an attacker exploits and remotely assassinates someone through a
device that was supposed to save their life.
**Update: CareFusion is very unhappy with this article and says: "We
know the Windows virus does not affect any downloadable software and has no
effect on our medical devices. It could affect Windows PC files, and we have
taken quick action to clean and restore our affected systems."