The challenges of cyber research and vulnerability disclosure for connected healthcare devices
As Head of Research at CyberMDX, Elad Luz gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. The research includes analyzing protocols, reverse engineering software, and conducting vulnerability tests.
Healthcare organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The first and most important risk to bear in mind and protect against in our space is always patient risk. In a place like hospital, this may happen on different levels. Care critical devices that are directly connected to patients like infusion pumps, ventilation, anesthesia, patient monitoring and such obviously represent the most critical endpoints from a security perspective. Compromises to those devices can cause serious immediate effects.
After care critical devices, the next most critical line of defense should be drawn around diagnostic machines like radiology devices, or lab devices that can also result in situations of serious short term negative impact. Beyond that, you have to account for care adjacent devices that pose near term risk, such as connected sterilization machines and medication dispensers. Even devices that have only little to do with the medical flow but are still necessary for the hospital to operate — like wireless tags, access controls, connected washers may affect the responsiveness of the medical staff which may later affect patient health.
It’s been cited ad nauseam and for good reason — but the WannaCry attacks immediately come to mind as a really poignant example of how even administrative devices being compromised can result in patient harm. And that threat hasn’t gone away in the last 3 years since WannaCry. Just in 2019, a truly astonishing 759 ransomware attacks were launched against healthcare organizations. Of those, at least 10 forced hospitals to turn away patients due to an impaired ability to deliver care. In fact, there’s a very serious impact on care even when hospitals don’t need to turn away patients.
When researchers measured the effects of cyber attacks on patient safety they found an operational ripple effect that added — on average — 2.7 minutes to medical response times. In a health emergency like a heart attack, minutes are often the difference between life and death. To wit, the same report noted a 3.6% increase in cardiac event fatalities at hospitals that had recently suffered cyberattacks. In other words, all other things being equal, for every 30 cardiac event patients admitted to a cyber-exploited hospital, statistically, one patient who would have survived elsewhere will be lost.
How do the complex medical device supply and value chains ultimately impact the security of connected devices in the healthcare industry?
Because of the complex medical device supply and value chains, it’s not always clear who should take responsibility for security best practices. While hospital administrators tend to think device manufacturers should be responsible for the security of their devices — which if not designed securely can hardly be operated securely — device manufacturers think the responsibility lies with the hospitals who create the network conditions that largely define the attack surface. This gap in expectations makes effective medical device security all the more difficult.
It’s important that security be considered at the earliest stages and built into medical technology research, development, procurement, deployment, and management processes. This means not only thinking about security, but also testing for it so that potential issues can be identified and addressed before they graduate into real-world problems. That applies equally to medical device stakeholders in the pre-market and post-market — manufacturers and hospitals.
Today, the type of testing required is woefully neglected by both sides of the market, with only 9% of manufacturers and 5% of users say they test medical devices at least annually.
What are the main challenges when it comes to vulnerability research of medical devices?
From a purely research perspective, there are challenges to do with access. For example, device procurement costs that can be prohibitively expensive, laws and policies that prevent vendors from selling to non-hospitals, sometimes difficult-to-accommodate spatial prerequisites, as well as installation, configuration, and calibration complexities, or even networking codependencies.
From a slightly less tactical perspective, looking more at strategy and the bigger picture, the research is only valuable insofar as it manages to improve the industry’s security. To that point, challenges can sometimes come in how vendors relate to researchers — if the relationship becomes adversarial, it will be difficult for both sides to work together to actually improve security. Of course, we need to also think about the facts on the ground in hospitals. Even if the researchers and vendors do everything right on their end, it doesn’t guarantee a positive outcome if hospitals continue using vulnerable devices without implementing patches or other mitigations.
So, there are definitely challenges in trilaterally coordinating positive real-world impact. And with the worst-case scenario for our industry always revolving around cases of cyber-physical harm, a severity scoring system (CVSS) that fundamentally ignores physical impact, the system itself may do a disservice in misrepresenting and poorly prioritizing the risks.
It’s imperative that all the stakeholders be able to come together, share a clearly understood frame of reference and common objectives in dialing down the real-world risk exposure.
What does this type of research entail? Were you surprised by some of the findings?
Our research methodology involves some proprietary technology and tactics that I can’t discuss, but the parts that I can talk about normally begin with data collection and good old fashioned detective work.
We break down and reverse-engineer the communication protocols used by medical devices, we analyze device network behavior, we crawl the internet and scraping device references, we dig into MDS² files, we use a good amount of inductive reasoning, trial & error, and “poking around” in the lab to follow the breadcrumbs and build the investigation.
When we “crack” a case open and discover a previously undocumented security issue, we’re often surprised by things like lack of authentication, hard-coded credentials, and other vulnerabilities that are caused less by human error and more by bad or lazy design decisions taken.
What’s your take on responsible disclosure? What can be done to safeguard users in case a vendor is not responsive to vulnerability reports?
Cybersecurity is still fairly new and somewhat unfamiliar territory to most healthcare organizations. In fact, the whole industry is still working on getting its arms around it, and that goes to national oversight bodies and institutionalized safeguards as well. The process is still not perfectly standardized or very granularly governed. There may not be official rules dictating who is informed of what, what controls are applied to whom, who has influence over bottom line determinations, and what can be said to whom for every stage in the process.
Similarly, the factors governing the timeline for disclosure can be somewhat opaque and, from an institutional perspective, the guiding logic for disclosure is not always clear. So, if you’re dealing with a cooperative vendor you might expect that CISA — the division of homeland security responsible for overseeing the disclosure process for matters of public infrastructure — would withhold disclosure until patches can be developed and issued for the vulnerability in question. Yet, that’s not always the case. I think it’s important that we not lose sight of the forest for the trees or reduce the task of vulnerability management to items on a static checklist. We need to maintain a view of the mission: making healthcare safer and more secure.
That said, the fact is that more often than not, the process works as designed; and improvements are being introduced all the time. So I think, all in all, responsible disclosure is very important to the long-term security health of the industry. I also think it will only get better as lessons are learned and CISA collaborates more closely with other bodies like the FDA.
To your second question, I think we should concern ourselves less with how users can protect themselves from an unresponsive vendor, and more with how the public, the demand side of the market, researchers, and national oversight bodies can work together to apply pressure as needed to make sure that vendors are always responsive to matters of cybersecurity.
What advice would you give to a healthcare CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
There is obviously a need for an automated tool to do that. Otherwise we are talking about nonstop work of securing thousands of devices, tens of different models and deployments, each requiring its own permissions and rules, in an ever-changing environment both inside the hospital (new assets get connected, old ones disconnected) and outside (new threats and vulnerabilities are published).
The best option would be using a solution that is tailor-made for medical centers, which is what we do at CyberMDX. Our solution is already familiar with a huge collection of medical devices and their unique protocols and our researchers are always working to lock down vulnerabilities you don’t even know you have. We are THE experts when it comes to cybersecurity and clinical connectivity.
How do you expect the security of IoT medical devices to evolve in the near future?
As IoT continues to connect everyday devices, I think we’ll find, especially in the medical field, that the most basic and relied upon devices will quickly become our biggest liabilities from a security perspective. Some evidence of this trend can we seen in the recent MDhex vulnerabilities that revealed a number of products in the popular CARESCAPE family of patient monitoring devices to be extremely vulnerable to cyber sabotage.
The problem is that all of a sudden manufacturers are expected to be experts in something — cybersecurity — that they’ve barely had to consider until now. It’s challenging for the manufacturers because the largest variety and best quality of agent-based security solutions reside on Windows and Linux-based devices, and require frequent updates to be relevant. Meeting those requirements is usually challenging in IoT embedded devices. Therefore I expect organizations to rely more and more on centralized, third-party provided agentless solutions that monitor the network traffic and introduce security features.