McAfee threat research team uncovers healthcare security risks

Recent discoveries by a well-known cybersecurity vendor highlight new healthcare security risks.

A research team at McAfee found that open network jacks and weak network protocols connecting IoT medical devices are susceptible to a “man-in-the-middle” attack that could be hazardous to a patient’s health. The team’s findings were published in a blog post last week.

Healthcare security risks have become more prevalent with the advent of IoT and connected medical devices. “Prior to the early 2000s, we didn’t see medical devices on the hospital’s production network very often,” said Mac McMillan, president of CynergisTek, a cybersecurity consulting firm. “Since then, the worlds of medical technology and connectivity have exploded. We see, in the provider space and in the headlines, that this is a real problem.

“These devices run commercial, off-the-shelf operating systems, frequently cut down or old versions, and so cannot be protected in the same way a PC or server can be. They are every bit as likely as any other networked device to be attacked or hacked. Many of the devices also store [electronic personal health information] and now you’ve had a breach, too. On top of that, they are used to deliver therapeutic and diagnostic services to patients, so it is much more than a security issue; it is quality of care and a direct patient care issue.”

Protocol reverse engineered

Mac McMillan, president of CynergisTekMac McMillan

The McAfee research highlights the concern about patient care. A member of the research team reverse engineered a protocol that allows communications between a standard patient monitor and a central monitoring station and found that he easily could “emulate a patient monitor from his computer and make it think it was talking to a central monitoring station, as well as actually inject, or spoof, patient vitals into that conversation,” said Steve Povolny, McAfee’s head of advanced threat research.

Because the protocol “is unauthenticated, unencrypted [and] it’s sent in the clear over this internal network, it’s relatively easy for an attacker, or a man in the middle of that connection, to be able to control the vitals that are transmitted between devices,” Povolny said.

In these scenarios, he said, an attacker could gain access to the devices’ communications protocol through an open jack in a hospital room or by gaining access to a hospital’s internal network.

A lot of these problems are not cutting-edge and can be mitigated quite easily.
Steve Povolnyhead of advanced threat research, McAfee

The danger, Povolny said, is that an attacker could manipulate a healthy patient’s vitals to indicate “some sort of arrhythmia or a change in heart rate that requires medical attention,” which could lead to a doctor administering unnecessary medication.

“A lot of these problems are not cutting-edge and can be mitigated quite easily,” Povolny said, “but the impact scenario is pretty powerful.”

Mitigating security risks not difficult

To mitigate healthcare security risks, he said, “vendors can implement basic authentication for devices so they are not broadcasting patient information in the clear over the wire.” Basic encryption and authentication would be a great step for these protocols.

Hospitals, he said, should ensure that medical devices are isolated, be aware of whether or not they allow open jacks in a room and be educated about security issues “and know how to respond in a scenario where they see anomalies like these.”

“In a real-world setting,” McMillan said, “the process is called a security risk assessment and it starts by identifying all the digital assets — hardware, data, operating systems, software. Once identified, you have to risk rate them, so you know what needs how much protection and how quickly. That risk rating can’t just be based on the fact that there are known vulnerabilities; it has to be based on the likelihood of someone exploiting that vulnerability and then the impact that exercising that vulnerability has on patient care and the business.

“If a network-connected blood pressure cuff has a weakness, [it’s] probably not urgent, but if someone can shut down an anesthesia machine and they do it during surgery, you have a different level of risk. This can’t be just about finding problems, it has to be about figuring out what the real problems are and then fixing those.”

As for the McAfee research into healthcare security risks, Povolny said, “We’re hoping that some of this research continues to elevate and eliminate the problems that we’re seeing … and hopefully convinces some of the vendors and medical systems and implementers to address these problems before they become the next headline.”