Last week I gave a short interview for Süddeutsche Zeitung on the security of medical devices. You can find it here. Unfortunately it is in German so I decided to sum up some of my key points that made it into the article and some that didn’t in this blog post.
The medical devices that we have been looking into include patient monitors, syringe pumps, EEGs, home monitoring devices and an MRI. All of these devices had major flaws that look like they came straight out of the 90s. Sometimes, we were able to crash the machines by simply doing a port scan, sometimes we could get around access controls protecting PIN codes of devices, and in most cases we were able to render the machine unusable. All these attacks were performed over the network and no physical access to the device was needed.
When it comes to medical device security people tend to ask me questions like the following: “Why is that relevant for me as a patient? Why would somebody hack a device I am connected to? I don’t think I am at risk, that sounds like a secret agent story and I don’t think that I am a target for such an attack …”. Looking at the numbers, we can see an increase in patients getting harmed by medical devices but there are no numbers about how many of these incidents were triggered by a malicious party or some sort of malicious use of the device. So what is the scenario that we need to think about?
The secret agent
This scenario obviously could be made into a movie plot. There is this guy trying to extract critical intel from a three letter agency. Secret agents tried to get rid of him and now he is in critical condition on intensive care because the attempt failed. He is highly secured, security personnel are all around and there is no quick way to get physical access to the patient. However, in all modern hospitals we encounter more and more devices that communicate over the network and thus are vulnerable to classic attacks over the network. The secret agents choose the path of least resistance and hack into the syringe pump connected to the patient. They increase the dose to a fatal level. In addition they need to get rid of the alarm on the patient monitor and the central monitoring station, so that the patient’s vital signs will not set it off when he is facing death.
Looking at the findings we have from our research that scenario is perfectly feasible and it might sensitize people but is it relevant for your mother or your dad? In most cases I would guess: no.
The bored dude
This is a scenario that is far more realistic, and I would say that it could effect all of us. Imagine you are suffering from appendicitis. You need to get rid of the little sucker and a surgical treatment called appendectomy is unavoidable. You get hooked up to all kinds of medical devices, there is an anesthetic device basically controlling your breathing, multiple monitors showing data on how your vital signs are and based on all of this data the doctors need to make decisions. We have proven that rendering these devices unusable is absolutely something that is possible with low effort. Sometimes, a simple port scan is enough to do this, which happened to us unintentionally sometimes as well. Think of a bored dude hooking up his laptop to one of the network plugs available to take a peek at the network. Now imagine a doctor sitting in front of a device monitoring your vital signs and all of a sudden: “Bzzzt”, the device shuts off but does not come up any more. If something goes wrong now, you are in real trouble…
In most cases it might not instantly kill you, but doctors will make decisions based on the data they see. Obviously a good doctor will also be able to make good decisions without these devices or question the data on the screen, but it will be way harder to judge a situation without a monitoring device available for a given time frame until a replacement is in place (hopefully without network connectivity). So this is the scenario that we all need to worry about!
Medical device security in 2015 is not about some crazy remote buffer overflow. The first step is to take care of simple best practices like default passwords, unauthenticated management interfaces and devices not being able to continue their primary work when the stuff coming over the network looks a little bit weird! That is what vendors should take care of now!
A last point: Don’t tell me network separation will do the trick. That is the number one excuse for medical device vendors to not think about these problems. Especially in Germany, hospitals have to deal with quite a lot financial pressure. Implementing and managing a hospital network is a complex task and the effort is underestimated in my opinion. This cannot be the last line of defense a hospital is supposed to rely on and it should not be your last line of defense when you are getting your stomach cut open. 😉
Please consult your doctor or pharmacist for risks and side effects of this blog post.
Cheers,
Florian