The researchers suggest that these unsecured medical record systems and unsecured medical devices could be putting patient lives at risk. High-profile targets like heads of state and celebrities could be more at risk than the general public. They also report that the insecure connections could be used by another nation-state to attack the medical infrastructure of the U.S.
Researchers demonstrated the attack, known Pestilence, at the Black Hat 2018 conference in Las Vegas on Aug. 9. The attack was created as a proof-of-concept and will not be released to the public. While the vulnerabilities of unsecured networks are not new, the researchers showed how the vulnerabilities could be exploited to compromise patient health.
Vulnerabilities come from the standards that are used to transfer patient data within hospital networks, known as Health Level Seven (HL7) standards. HL7 was created in the 1970s as a way for devices and systems in a medical facility to communicate. The system has since been untouched by cybersecurity advances that have been made in the last 40 years.
Currently, patient data is being circulated in an unsecured way because of HL7 standards being implemented on aging medical equipment by personnel who have little to no cybersecurity training, according to the researchers. The main concern is the data is being transmitted in unencrypted and plain text though networks that do not need passwords and other forms of authentication.
There have been a few cybersecurity threats to hospital networks over the last few years, but the UCSD researchers want to express how the data that is compromised could be manipulated.
“Healthcare is distinct from other sectors in that the manipulation of critical infrastructure has the potential to directly impact human life, whether through direct manipulation of devices themselves or through the networks which connect them,” the researchers said in a press release.
Pestilence was developed using vulnerabilities and methodologies that are already known. However, the project differed from previous studies because it used computer science knowledge and clinician knowledge to exploit weaknesses in the HL7 standard.
“As a physician, I aim to educate my colleagues that the implicit trust we place in the technologies and infrastructure we use to care for our patients may be misplaced, and that an awareness of and vigilance for these threat models is critical for the practice of medicine in the 21st century,” Jeffrey Tully, an anesthesiology resident at UC Davis Medical Center, said.
Protecting data from being manipulated is an important task, according to the researchers.
“We are talking about this because we are trying to secure healthcare devices and infrastructure before medical systems experience a major failure,” Dr. Christian Dameff, an emergency physician and clinical informatics fellow, said. “We need to fix this now.”
Pestilence uses what the researchers call a “man in the middle attack” that puts a computer between the laboratory machine and the medical records system. When testing the system, researchers automated the attack so it could comb through large amounts of data remotely. The researchers built a testbed of medical laboratory testing devices, computers and servers to test the system instead of using real medical records. Doing so allowed the team to run tests like blood and urine analysis while intercepting the results to change them and send the changed information back to a medical records system.
One of the tests that researchers changed was a normal blood test. They changed the results to show that a patient was suffering from diabetic ketoacidosis, which would cause a physician to prescribe an insulin drip. An insulin drip in a patient who doesn’t need it could lead to a coma or death.
They also changed a normal blood test to show that a patient had extremely low potassium, which a doctor would prescribe a potassium IV that would cause heart attack in a healthy patient.
The researchers suggest a few methods for hospitals and government agencies to use to protect medical infrastructures.
Medical record systems and medical devices should be password-protected and secured with a firewall. All of the devices and systems on the hospital networks should be restricted to communication with one server only to limit hackers’ opportunities to get into hospital networks.
Another way to protect data would be to use a new standard of protection that could replace HL7. The new standard, known as Fast Healthcare Interoperability Resource (FHIR) would allow for encrypted communications inside hospital networks.
The UCSD researchers also suggest that hospital IT staff should be trained on cybersecurity issues and trained to enable defenses against potential attacks.
Cybersecurity should also be part of the FDA approval process for healthcare devices, according to the researchers. Manufacturers would benefit from using the newest and most secure operating systems to ensure the proper cybersecurity needs, according to the researchers. Many medical devices are still running on Windows XP operating systems, which is no longer supported by Microsoft, which means vulnerabilities go unfixed.
“Working together, we are able to raise awareness of security vulnerabilities that have the potential to impact patient care and then develop solutions to remediate them,” Tully said.
William K. says
While all of the assertions made in the article are probably correct, for those systems that are not connected to any outside networks the risk is probably quite a bit less. Connections to the outside are most of the problem, a lot like removing one’s doors completely, not just leaving them unlocked. Encryption of data is interesting, but remember that to be useful the data must be un-encrypted at the user’s end. So if the key is not adequately protected the value of encryption is minimal. Implementing another standard would probably reduce the risk a lot, but it may not be possible without replacing the equipment, or at least making internal changes in that equipment, which may be a fairly expensive proposition. One reasonable alternative is for the various instruments to send their data, in the same HL7 format to a nearby computer, within an easily secured distance from the instrument, where the data could be manipulated into whatever secure format was required, and then sent on to the records system. The downside of this method is far less profit for those selling the other approaches. Clearly a serious impediment!