With the intensity and frequency of cyber attacks on medical institutions rising every day, the growing significance of cyber security in the healthcare industry is clearer than ever. When it comes to the security of healthcare organizations, there’s much more at risk than just money or data.
There are lives at stake!
The year 2020 witnessed the first fatality due to a ransomware attack when a hospital in Germany was attacked in September.
Many of the successful cyber attacks on healthcare institutions can be attributed to the vulnerabilities in medical devices such as pacemakers and insulin pumps. These vulnerabilities can be exploited by malicious actors to alter the clinical performance of a medical device, which can have some catastrophic consequences.
Former Vice President of the US, Dick Cheney, had his doctors disable the wireless capabilities of his pacemaker during its implantation in 2007 to prevent a possible assassination attempt.
The VAPT team of Kratikal, a CERT-In-empanelled security auditor, has conducted security assessments for a wide range of medical devices. Here is a list of the top 5 vulnerabilities in medical devices they detected.
#1 Vulnerability to Denial of Service Attacks
Various medical devices use wireless networks to exchange information and data, which can create serious obstacles in achieving the security goals of integrity, confidentiality and availability.
Wireless networks are essentially radio signals transmitted between devices, which have been encoded to store and carry data. It is an EM wave that carries digital data and is vulnerable to interference by other EM waves. This presents two major security challenges:
- Jamming these signals is extremely simple and can prevent these devices from connecting to one another.
- It can be very difficult to track the source of the jamming or stop the jamming.
These types of attacks are known as denial of service attacks. These attacks affect the availability of information and can hamper the performance of medical devices. If a medical device is vulnerable to denial of service attacks, it can cause some serious security issues.
#2 Vulnerability to Stack-based Buffer Overflows
Stack-based buffer overflow attacks are used by the attackers to remotely take over the code execution of a process. Buffers refer to a system’s memory storage regions that hold the data temporarily while it is being transferred.
A buffer overflow takes place when the volume of data exceeds the memory buffer’s storage capacity. Consequently, the program trying to write the data overwrites adjacent memory locations.
To launch stack-based buffer overflow attacks, malicious actors leverage stack memory, which only exists during a function’s execution time. Through these attacks, malicious actors may gain elevated privileges inside your system. This vulnerability is typically exploited to either launch privilege escalation attacks or to gain remote code execution on the target system.
#3 HL7 Protocol Vulnerable to Man-in-the-Middle and ARP Spoofing
HL7 is the unverified and unencrypted data standard widely used in the healthcare industry for almost all communications between systems. Typically, HL7 messages are transmitted to an interface engine, which transforms and distributes all the messages it receives to the appropriate outlying systems, helping all the data stay synced.
HL7 messages carry a healthcare organization’s most sensitive data. However, they are vulnerable to various cyber threats, especially Man-in-the-Middle (MITM) attacks.
The HL7 protocol does not address the two ways to combat MITM attacks- tampering detection and authentication. Without these controls, malicious actors can easily intercept communications between systems. There are numerous MITM techniques used by attackers, out of which the most popular one is ARP (address resolution protocol) spoofing. Attackers can use ARP spoofing to launch MITM attacks and intercept traffic between endpoints.
To carry out these attacks, malicious actors send gratuitous ARP packets to the targeted system to re-associate their MAC address with another system’s legitimate IP addresses. Consequently, the traffic is redirected to the attackers instead of the legitimate secondary system. Often, the attacking system forwards the traffic in a way that neither system can detect interference.
#4 Exploitation of DICOM Flaw to Embed Malware in CT/MRI Imagery
DICOM refers to a globally-recognized standard for the storage and exchange of medical images. It is used widely all across the healthcare industry ranging from the medical devices that produce imagery like MRI and CT machines to tablets used for viewing diagnostic information. There is a flaw in the DICOM file format specification that enables malicious actors to embed executable code within the files.
By doing this, attackers can create a malicious hybrid file that is both a specification-compliant DICOM image, which can be viewed with any DICOM viewer as well as a fully-functioning Windows executable. These files not only work like a typical Windows PE file but also adhere to the DICOM standard to preserve the patient information’s integrity.
Such files are referred to as PE/DICOM files. By exploiting this critical flaw, malicious actors can intertwine patient information with malware to easily and stealthily distribute this malware across a broad range of healthcare institutions.
#5 Hard-coded Passwords
Medical devices containing hard-coded passwords are susceptible to an array of cyber threats. Hard-coded passwords refer to plain text (non-encrypted) credentials and other secrets like SSH keys implanted by the developers directly into the source code.
A wide range of medical devices including ventilators, surgical and anesthesia devices, drug infusion pumps, patient monitors, laboratory and analysis equipment and external defibrillators use hard-coded credentials.
The use of hard-coded passwords in medical devices is a huge risk as it makes it easy for malicious actors to discover some confidential information by using password guessing exploits.
This enables attackers to gain administrative access and high-level privileges by bypassing authentication. By exploiting hard-coded passwords, an attacker can gain access to biomedical information, calibration settings, network configuration and device settings.
These are a few of the many high-risk vulnerabilities found in medical devices. The exploitation of these vulnerabilities by malicious actors can have various catastrophic consequences.
The most effective way of eliminating vulnerabilities in these devices is by conducting a periodic VAPT for medical devices. This can help you identify the vulnerabilities that need to be fixed immediately, making sure that threat actors can’t exploit them.
Want to Make Sure Your Medical Devices Are Secure?
Get Them Assessed Now to Ease Your Worries!