A group of experts from the Independent Security Evaluators research team have tested the security of hospital networks, demonstrating how it is possible to gain access to critical medical equipment in attacks they say could put lives in danger.
The study was led by healthcare head Geoff Gentry, the results of the test conducted are reported in an interesting paper titled “Securing Hospitals.”
The experts demonstrated that such kind of cyber attacks could put lives in danger, for example hacking patient monitors is possible to display false information which could result in medical responses that injure or kill patients.
They security researchers examined 12 healthcare facilities, two data centres, two web applications, and a couple of live medical devices that could be hacked remotely by threat actors.
“The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. ” states the report.
The 71-page document is one of the most interesting study on the level of security of hospitals and the analysis of the resilience of medical devices to cyber attacks.
In the report is detailed a typical attack scenario where a foreign group could launch a cyber attack against the patients of the medical structure triggering vulnerabilities in passive medical devices.
The experts targeted an externally facing web server exploiting its vulnerabilities to gain control of the machine, once inside the network the attackers moved laterally searching for vulnerable devices to compromise.
“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.
“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.”
“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”
Patient data could be easily stolen by attackers, attackers for example can exploit a cross-site scripting flaw inside a web application.
The experts dedicated a specific session of their test to cyber attacks relying on USB drives that could be used by hackers as bait. In one of the tests, the team of researchers dropped 18 infected sticks around hospitals, the malware present on the USB sticks allowed them to harvest information from terminals and establish a backdoor inside the systems.
In one case the attackers successfully breached the hospital drug dispensary service.
“At the time of this reporting, we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient.” said the hackers.
The researchers also dedicated great attention to physical security, the team analyzed the presence of exposed hardware device ports and open computers operating in patient rooms, too easy to hack.
“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” states the report.
“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”
The experts concluded that networks in the Hospitals are often insecure, in many cases the organizations lack of security policies and never audit their systems exposing patients to risk of cyber attacks.
“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”
The findings demonstrate that patient health remains extremely vulnerable to cyber attack.
Enjoy the “Securing Hospitals” report!
(Security Affairs – Securing Hospitals, cybersecurity)