Malware in Medical Devices
Cyberattacks on medical devices have plagued the healthcare industry. Malware, the weapon of choice, has caused companies to lose millions of dollars throughout the country, also leaving patient safety at risk. What would the world face if terrorists began targeting medical devices?
Many hospitals and other medical facilities run on older systems such as Windows XP and 7, both of which are no longer supported by Microsoft due to the licensing user base and newer integrations of Windows, such as 8 and 10, that are currently still on the market. These older systems are no longer maintained or updated by Microsoft, so if a vulnerability is discovered by a third party or potential hacker there won't be an update to fix the bug. Without updates to these OS’s, it is very easy to access the hardware that is inevitably connected to these devices.
One example of a vulnerability that is especially concerning is an unnamed demonstration given by Ben-Gurion University of the Negev in Israel, where the program uses deep learning to remove or add signs of cancer from CT and MRI scans. Currently, the program that makes this possible has to be hardwired into the system with a Raspberry Pi, a small credit-card sized device that functions like a computer. The hacker is required to get into the hospital undetected to install the device to the MRI. Unfortunately, in the demonstration video, the attacker was able to break in by just walking in behind the night cleaning crew. Once the Raspberry Pi is installed, it is as simple as running the program from the lobby of the hospital logged into their wifi. From there the attacker can insert and remove cancerous tumors. This can falsify research, hold real data for profit, or lead to the murders of political figures or mass members of the public by the undiagnosed disease.
Another example is a malware called EKANS, this piece of ransomware is a combination of Wanna Cry, a piece of ransomware that encrypts data until a price is paid to the attacker, and Stuxnet, a computer worm that targets supervisory control and data acquisition systems that was designed to take down Iranian nuclear reactors. EKANS and its suspected precursors Venomous Bear, SNAKE, and Krypton are currently being attributed to a group called Turla, who is a Russain based threat group. EKANS over time gains control of a system's functionality and disables it unless the ransom is paid. In the context of medical devices, if the ransom were to go unpaid, it may lead to critical function failure including shutting down devices that support those on life support or inject medication remotely.
There are also known vulnerabilities in the systems that run insulin pumps leading to the ability to shut off the functionality of the device. Many groups neglect to think about the software that runs these devices when looking for vulnerabilities in hardware. With the growing amount of these devices on the market being able to connect to smartphone apps and have wi-fi or bluetooth capabilities, they are increasingly becoming targets for attackers. The IoT, or internet of things, is what links all these devices together so long as they are connected to the same network. If a hacker gains access to the network of someone with type 1 diabetes, if the device is not properly updated, they can go as far as changing the amount of insulin being discharged or stop it entirely.
Safety in healthcare is a critical function in maintaining US national security. Alongside the affordability of healthcare in the US, the functionality of medical devices doing as they are intended is critical. Such as in the Ben-Gurion University of the Negev, many hospitals have limited physical security from their back end. If a large set of MRIs are compromised in a large city such as New York or Los Angeles with large population densities, many cases of necessary treatment may be missed or unnecessary treatments given. If a large population is unable to be diagnosed, an epidemic may be difficult to pinpoint or contain in time. Even on the local level, small disputes between neighbors can lead to further issues if the ability to tamper with data in this fashion becomes known to the mainstream.
While examining the effect infected medical devices have on the US infrastructure, it is also essential to examine manufacturers in the healthcare industry. Companies that make medical devices for sale are aware of maintaining their client’s best interests. Nevertheless, manufacturers can pose a security threat to the healthcare industry and the US. According to a study done by the College of Healthcare Information Management Executives (CHIME), a professional organization for chief information officers (CIOs) and other senior healthcare IT leaders, in collaboration with KLAS Research in 2018, that malware attacks impacted 18 % of manufacturers’ medical devices. Only 39 % of manufacturers were confident in their products when it came to cybersecurity, the protection of the devices, or developing security programs. Overall, 96% of customers identified manufacturer-related factors as a root cause of medical device security issues. Cybersecurity must be a priority for all manufacturers. Malware in medical devices can cause very severe data breaches. Public and private sector companies can help support manufacturers.
Hackers are executing malware attacks on medical devices, and soon, attacked personal medical devices will be on the horizon. Cyberterrorists and terrorist groups can maintain the capability to carry out attacks through medical devices as well. Sophisticated cyberattacks from terrorist cells have affected government entities in the US and internationally and can affect hospitals if terrorists shut down hospital networks and online medical devices. Terrorists can also grow the capability to control medical devices to injure or even kill patients.
Currently, there is no federal mandate protecting medical devices against cyberattacks. The Healthcare Sector Coordinating Council is serving as a
liaison between private industry and government laws to introduce ways to fix security issues. Thus far, the public and private sectors are working together to combat infected medical devices and have also created programs separately. The US Food and Drug Administration (FDA) is continuing to issue warnings to the public if they believe a medical product could cause harm due to cybersecurity issues.
Image: MiniMed Model 500 and 503 Remote Controllers (MMT-500 and MMT-503). A total of 1117 MiniMed Insulin Pumps have been recalled by the FDA.
In June 2019, the FDA recalled the Medtronic MiniMed insulin pumps. The products could not sustain potential cyber risks due to its connection to remote-controlled and wireless systems. The FDA recalled at least 11 models as Medtronic was unable to update patches for MiniMed 508 and Paradigm insulin pump models to address vulnerabilities. The FDA also recalled Abbott pacemakers in 2017 due to the potential exploitation of cybersecurity vulnerabilities.
In addition, to recall announcements, the FDA also updates fact sheets to ensure the public on the latest news on medical devices. Other government agencies are working to secure devices against cyber attacks as well. Unfortunately, some privacy laws including Health Insurance Portability and Accountability Act (HIPAA) restrict third party organizations, manufactures, from accessing medical/hospital systems as it may contain sensitive patient data. Yet, access may be necessary to patch certain devices.
McAfee, an American global computer security software company, is working with several healthcare providers, including Siemens Healthineers, creating detailed security solution plans to assist companies in complying with regulatory mandates and requirements and preventing attacks. Other companies such as Cisco, Symantec Corporation, and Intel are also working with the healthcare industry to determine weaknesses in security programs and present vulnerabilities. Companies are working on improved ways to scan for vulnerabilities in the different devices, ensure new patches, and creating procedures to dispose of medical devices that have reached their life expectancy. In turn, the hospital must work to secure their broader networks.
Cyber threats to medical devices are just beginning. Soon, most devices will be connected to the internet if they have not been already. Both the public and private sectors are responsible for working together to combat cyberattacks on medical devices and terrorist capability. CTG recommends further research on malware and upgraded operating systems for hospitals. Additionally, the federal government may want to revise such privacy laws, including HIPAA, so that manufacturers can update and patch software without limits. It is also recommended that hospitals become better equipped with staff and cybersecurity teams that can patch medical devices and create policies to ensure devices are protected.
 Injecting and Removing Cancer from CT Scans, April 3, 2019, https://www.youtube.com/watch?v=_mkRAArj-x0
EKANS Ransomware and ICS Operations, December 3, 2020, https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
 Mitre ATT&CK,Turla, n.d, https://attack.mitre.org/groups/G0010/
 CHIME-KLAS Survey Measures Providers' Confidence in Medical Device Security Programs, College of Healthcare Information Management Executives (CHIME), October 5, 2018, https://chimecentral.org/chime-klas-survey-measures-providers-confidence-in-medical-device-security-programs/
 FDA Warns Patients and Health Care Providers about Potential Cybersecurity Concerns with Certain Medtronic Insulin Pumps, The Food and Drug Administration (FDA), June 27, 2019, https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain
 Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication, The Food and Drug Administration (FDA), August 29, 2017, https://www.fda.gov/medical-devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-medicals
 "Device Use" by The Food and Drug Administration.
 Health Insurance Portability and Accountability Act of 1996 (HIPAA), Centers for Disease Control and Prevention (CDC), September 14, 2018, https://www.cdc.gov/phlp/publications/topic/hipaa.html
 Tom Moore, How McAfee Embedded Security Helps Medical Device Manufacturers Protect Their Products from Malware and Hacker Attacks, McAfee, January 10, 2018, https://www.mcafee.com/blogs/other-blogs/mcafee-partners/mcafee-embedded-security-helps-medical-device-manufacturers-protect-products-malware-hacker-attacks/