Tag Archives: Medical Devices

Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.


Source: ZDNet Dark Reading

Facebooktwitterredditlinkedinmailby feather

When Medical Devices Get Hit With Ransomware

Is it possible that North Korea used stolen NSA hacking tools to infect medical devices at U.S. hospitals?  Forbes says, yes it is.

When the WannaCry ransomware spread out of control last week infecting 48 hospital trusts in the UK and unnamed medical facilities in the U.S. for the most part U.S. businesses were not affected.  Except for some.

For those people who work in offices, the effects of ransomware are annoying and if there are not sufficient backups, it can lead to losing data and losing customers.  And lawsuits.

But when it comes to hospitals, in addition to all of the above, it can lead to people dying.

Forbes was given an image of a Bayer Medrad power injector (shown below) that manages the injection of MRI contrast die into patients.

Many of these medical devices in hospitals are connected to Windows PCs and those PCs are often connected to email and the Internet.  When they are – and even if they are not – they can get infected with malware.  Think Iran and Stuxnet.  Those centrifuge controllers were not connected to anything and we still infected them.

Bayer acknowledged that at least two devices were infected here in the U.S., but they were able to restore them in 24 hours.

Microsoft released a patch for the bug that allows the ransomware to work in March.  Bayer said that it plans to release that same patch to its customers “soon”,  That means that hackers – say, perhaps, the North Koreans – have at least three months, maybe more after the patch is released to reverse engineer the patch and use that knowledge to infect medical devices.  From what I have heard. three months from vendor patch release to medical device patch release is super speedy.  And don’t forget that you have to add the time it takes the hospital to approve deploying that patch.

While this particular attack would, if effective, take the machine offline and not directly kill anyone, that is only THIS particular malware.

We have already seen demonstrations of hacking changing the settings inside drug infusion pumps.  If that bit of maliciousness propagated in the wild, it could change the dosage of drugs being dispensed to patients without any obvious indication externally (set it to 10 and it dispenses 50 for example) and then people would die.

In the case of that brand of infusion pumps, after beating up the vendor and the FDA for a year, the FDA finally issued a warning.  Hackers don’t use that kind of time scale.  You have to be able to warn hospitals in hours and the FDA and medical device industry are no where near the capability to do that.

Lets say that instead of locking up Windows PCs, the WannaCry worm instead infected infusion pumps.  Granted the same bug would not work in infusion pumps, but lets say there was a different one.   Think about how fast that worm spread around England, Scotland and a hundred plus other countries.  Could the national medical device regulators in all of those countries respond to that kind of event before people died.  Sadly, I don’t think so.

According to the article, the medical device manufacturers rushed out an alert telling hospitals that they were working on a patch and would release it sometime in the future.

HITRUST, a private company that helps the medical industry deal with cyber security issues said that it had reports of both Bayer and Siemens being affected.  Siemens said it could not confirm or deny reports of their machines being infected.

The Department of Homeland Security’s Computer Emergency Response Team (CERT) said that many industrial control systems vendors are issuing alerts also.  They said that ICS devices were infected and did have impact.

While this particular attack didn’t have deadly consequences, unless the medical device and industrial control industries up their cyber security game, it is just a matter of time before something bad happens.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather