Category Archives: Healthcare

Healthcare related posts

Patching IoT Gets Out of Hand

In what may be the first of its kind event, the FDA recalled a pacemaker from St Jude, now owned by Abbott Labs.

Researchers discovered the flaws prior to Abbott’s acquisition of St. Jude and reported them to both the FDA and St. Jude.  Both decided to do nothing about it until the researchers went public.

In April of this year, the FDA put out a “warning” – also likely a first of it’s kind – that the devices which can be controlled remotely, were likely hackable and also had a battery problem that could cause it to go dead – possibly along with the patient  – before it was supposed to.  At that time Abbott said that they took security seriously and had fixed all the problems (see Fox Business).

Fast forward to this week and the FDA has now issued a recall of close to a half million of the supposedly fixed devices.

Since the devices are implanted inside people, the plan is NOT to perform a half million surgeries to remove them, but rather to go to their doctor to have the firmware in the device updated.

As I recall, one of the problems WAS this update capability.  The researchers were able, I think, to buy pacemaker programmers on eBay and reprogram any pacemaker from that manufacturer without authentication.    All they had to do is be in radio range of it.

Obviously, being able to reprogram the pacemaker (which has to be done in a facility that can control a patient’s heart rhythm while the pacemaker is being hacked.  Err, patched.  Err, upgraded) is a LOT safer than a half million surgeries, but still it is not without risk.

No clue what the cost of this little adventure will be, but it won’t be cheap.  Even if each doctor visit costs a hundred bucks – which is highly unlikely – that would still be a cost of $50 million.  If the cost is $500, then the total would likely be in the $250 to $500 million range when you add legal fees, fines and support costs.

One other interesting feature.  The researchers approached St. Jude about paying them a bug bounty, which is common in the tech world, and they decided not to.  Instead, the researchers approached Muddy Waters Capital, who sold the stock short, then announced the vulnerabilities.  When the stock price went down, which it did, Muddy Waters covered their short sell and made out very nicely.  Muddy Waters and the researchers had a deal to do some sort of split of the profits.  There were some people who that was a bit too capitalistic, but, it is not illegal.  Maybe next time, they will work with the researchers when they approach them.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

Homeland Security Issues Security Alert for Siemens Imaging Systems

We usually think of Internet of Things (IoT) devices as smart light bulbs or door locks or cameras, but there are some IoT devices that are a little bigger and a lot more expensive.

In this case, it is a multi-million dollar Cat Scanner that hospitals and imaging centers use to create diagnostic images.

Siemens says that even an attacker with a low skill level would be able to exploit the vulnerabilities.  That’s not very comforting.

The root of the problem is that there is a Windows 7 PC running the scanner and it is difficult to get approval to install patches – assuming they are even available – because it is considered a medical device.

To make matters worse – if that is possible – Siemens said that the flaw is executable remotely (from the Internet) and sample ways to exploit the bug are available on the Internet.

DHS suggests that hospitals unplug their cat scanners from the network so attackers cannot reach the scanners to attack them.

Of course, that probably is not possible, practically, to do.

Siemens says that they are working on a patch.  That’s comforting.  It is not clear how long it will take Siemens to develop a patch (Or get Microsoft to do so), how long it will take to get the patch approved or how long it will take to get hospitals to install the patch.

Since the vulnerability allows hackers to remotely execute arbitrary code, they could potentially steal any data on the scanners or use the scanners as a launching point for attacks elsewhere in the hospital.

We always tell clients that ALL IoT devices need to be isolated from any trusted internal networks and likely from other IoT devices as well.

Whether the IoT device is a $5 smart light bulb or a multi-million dollar cat scanner, that advice is still true.  To do so may require hospitals to redesign their business practices as well as to make changes to their information systems, so that won’t happen overnight either.

This represents a bit of a mess for hospitals and clinics that have cat scanners and there does not seem to be an easy fix.

The point here is that IoT devices are everywhere and often in places that you do not think about.  Some are small and relatively cheap; other are pretty large and very expensive, but they all share one commonality – they can be exploited.

It is likely to get much worse before it gets any better.

Information for this post came from Health Data Management and the DHS Security Alert.

Facebooktwitterredditlinkedinmailby feather

Hacking Pacemakers For Fun

When Dick Cheney was Veep, stories kept popping up that the Secret Service had made sure that his pacemaker was not remotely controllable.  Some people weren’t sure that it was a problem – not because they didn’t like Cheney, but because they didn’t think they were hackable.

Well now we have a different story.

Researchers bought used pacemaker programmers on eBay, some costing as little as $15.  Apparently, if you have a programmer for manufacturer X’s pacemaker, you can program any pacemaker from that manufacturer.  Apparently, there is no authentication.

The manufacturers have said that they control the distribution of the pacemakers, but if you can buy them on eBay for $15, that obviously is not working.

Whitescope researchers analyzed 4 programmers from 4 manufacturers and discovered more than 8,000 vulnerabilities.  Now doesn’t that make you feel good.

In two cases the used pacemakers came patient data that had not been wiped.  The data was not encrypted.

As medical devices become more sophisticated, they become more dangerous too.  If someone knows that you have a pacemaker from vendor X and can figure out how to hack it, that person could kill you – literally.

This is, in some sense, similar to the drug infusion pump scandal from a few years ago.  The FDA attempted to sweep the issue under the rug for a year or more until the researcher went public with the hack.  Then, all of a sudden, the FDA decided it was a problem.

Some people might say that if researchers just didn’t discover these bugs then all would be well.  Not really.  The bad guys will discover the bugs also, but they won’t be so kind and disclose them.

Obviously these manufacturers need to rethink their security programs.  Security by obscurity (such as by trying to control the distribution of pacemaker programmers) just isn’t going to work in the long run.

As the author of the article said, it is a bit disconcerting that your iPhone is more secure than your pacemaker.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

More Healthcare Breaches, Record Fines and Other Issues

Another day, another healthcare ransomware attack.  Erie County Medical Center and Terrace View long term care in Buffalo, New York have been dealing with a ransomware attack for about 10 days now.  On April 9th, a Sunday, the computers got hit by what they are only calling a virus, but according to someone I talked to today, it is, in fact, a ransomware attack.  They have not paid the ransom and do not intend to, but from April 9th to the 15th, all systems were down.  They hoped to have the patient data part of their systems operational by the 15th at which point they would need to start entering the backlog of patient data and any data that was lost.

According to local media, the email system is also supposed to be up by that time.

After that is complete, they planned on working to restore systems such as payroll.

According to the person I talked to this morning, as of today, they are still working on recovering.

I am sure that they will complete a lessons learned exercise once people get some sleep, but from the outside, a couple of questions are obvious.  Their disaster recovery plan seems to be lacking if they are still recovering 10 days later.  We don’t know if their business continuity plan is sufficient.  They didn’t have to close the hospital, which is good, but what is the impact on patient care and staff workload.  Finally, how did this ransomware spread so widely in the organization that it is taking them more that 10 days to recover.

As a side note, the Beazley cyber insurance company says that ransomware attacks that were reported to them quadrupled in 2016 and they expect that to double again in 2017.  Half of the attacks were in healthcare.

The FDA is now shifting its focus to medical devices, like the ones from St. Judes, that the FDA slammed the firm over last month.

 

As if that wasn’t enough to worry about, Health and Human Services Office of Civil Rights levied more fines in 2016 than any other year to organizations that were breached.  They announced 12 settlements averaging $2 million in 2016 and three more in the first two months of 2017 PLUS a fourth case that had a fine of $3.2 million.

Some of these cases required the appointment of an external monitor or baby sitter, indicating that OCR didn’t trust those organizations to fix the problems without oversight.

These handful of cases, while significant, represent a fractional percentage of the roughly 17,000 cases a year that are filed with OCR.

In addition, OCR is finishing up a series of desk audits of covered entities and is about to start on auditing business associates.

While it is unclear what will happen under the Trump administration, OCR is funded mainly by the fines they levy, so it may well be the case that things run as they have for the last few years.  Stay tuned.

Putting all of this together should be a red flag to anyone in healthcare that they need to get very serious about cyber security.  It is not likely to get any better or easier any time soon.

 

Information for this post came from Disruptive Views and hrdailyadvisor.

Facebooktwitterredditlinkedinmailby feather

One Reason People Steal Medical Records

37 billion dollars.

Is that enough reason?

As health premiums increase, more people, especially healthy ones, are moving to high deductible health plans (HDHPs).  A feature of all HDHPs is the option to create a health savings account (HSA).  HSAs are tax advantaged in several ways, so most people who have HDHPs also have HSAs.

The estimated value of money stored in HSAs is about $37 billion in about 20 million accounts.  That is a lot of money – even to crooks. And the numbers are going up at a rate of about 20% a year.

The thing about HSAs is that people don’t think of them like bank accounts.  They don’t check the balance every day.

Since your legal protection is limited to a short period of time after the fraud (for debit cards, if you don’t notify the bank within 60 days of them mailing the statement, you have unlimited liability).

Since the amount of hacking is going up, the price of credit card data on the black market is going down.  If you merge credit card info with credit scores (higher scores tend to map to higher HSA account balances) and also with stolen medical info, you now have what is called a fullz (a full dossier) and those are selling for about $80-$100 a whack on the black market, assuming the bad guy doesn’t use it him or her self.

So, ponder this.

If you steal someone’s healthcare information (like in the Anthem breach), you probably have enough information to either hack into someone’s HSA or socially engineer your way in.

And, if the owner is not watching the balance, you might get lucky and not be detected for months.

So what this means is that if you have an HSA banking account, you need to watch it just like you would watch your checking or savings account.

If you HSA provider offers the option to send you text or email alerts when money goes into or out of the account, you should turn those options on.  AND, you need to read those emails or texts when they come in, not ignore them.

Yeah!  A new type of fraud to worry about.

Information for this post came from Dark Reading.

 

Facebooktwitterredditlinkedinmailby feather

Medsec vs. St. Jude – Security Research Version 2

About four months, a security firm named Medsec discovered some flaws in St Jude Medical’s cardiac implantable products.  The accepted way to deal with this is to privately let the manufacturer know what you found, let them fix it and then release your research.

In this case, Medsec had been told that St. Jude would not be receptive to the conversation and, they were told, some people had been shown the door when they tried to disclose bugs to St. Jude.

So, Medsec tried a novel method.  It worked, sort of, but has them in the middle of a lawsuit, so I don’t recommend trying it.

Medsec licensed the flaws to a company named Muddy Waters.  Muddy Waters makes money short selling companies.  The way they do that is to disclose mud about the company after short selling the stock, hoping the price will go down. Medsec’s deal was that they would somehow split any profits.

St. Jude Medical, which about to be acquired by Abbott for $25 billion wasn’t too happy about it.  They figured, like in the Verizon/Yahoo merger, news like this could scuttle the deal or at least cause Abbott to want to change the terms of the deal and make the stock price go down.  Looking at a stock price chart, it appears the price did go down by about $5 a share after the announcement, probably long enough for Muddy Waters to make their money, but the price appears to be $20 a share higher than it was a year ago.

However, there are some other developments.

St. Jude formed a cyber security advisory group in October, even though they say the claims are baseless.

Muddy Waters/Medsec has created a website and released videos of the hack to defend themselves as part of the lawsuit.

St. Jude Medical released a patch to solve part of the problem.

And finally, the FDA released a public alert saying that they have confirmed the vulnerabilities in the St. Jude Medical implantable cardiac devices – which I assume would have a positive effect for Medsec and Muddy Waters in the lawsuit that St. Jude Medical filed against them.

St. Jude Medical claimed that Medsec and Muddy Waters were intentionally trying to manipulate the stock price.  Of course, the question still to be answered is not whether it was willful, but whether was was illegal.

While we will never know, it appears that their tactic did achieve a goal of get the flaw patched and getting the FDA to issue an alert.  Whether the alert will impact the stock or whether Muddy Waters is going to try and short the stock again is unknown.

What is clear is that this researcher was willing to go to some pretty extreme measures to get St. Jude Medical’s attention.  The patch only fixed part of the problem and Medsec said that they expect more patches from St. Jude Medical.  Now that the FDA has published a public alert, there will likely be even more pressure on St. Jude Medical to fix the remaining problems.

For other businesses, there is a lesson here.  When a customer or security researcher comes to talk to you about a security problem, don’t blow them off.  YOU could be the next short sell play or, if you are not public, they could just set up a web site for spite.

What would that do to your reputation?

Information for this post came from Dark Reading.

 

Facebooktwitterredditlinkedinmailby feather