Hacking Hospitals. PHOTO: Cybercrime Magazine.

Hackable Infusion Pump, Ransomware Risks To Patients

Hospitals are sitting ducks for cyberattacks

David Braue

Melbourne, Australia – Dec. 23, 2021

Security researchers have long warned of the largely theoretical risks of security vulnerabilities in increasingly connected medical equipment — but McAfee’s Advanced Threat Research (ATR) recently demonstrated that the risk has become very real, as vulnerable equipment is left exposed by hospitals that have been kneecapped by strict change management policies.

A team of ATR threat researchers recently revealed the outcomes of a more than 18-month investigation into security vulnerabilities in medical equipment such as automatic infusion pumps.

Their findings — that a flaw in the B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation could allow malicious actors to easily modify the equipment’s configuration — raised enough concerns that the Cybersecurity & Infrastructure Security Agency went as far as releasing a formal medical advisory about the vulnerability.

“We found five different vulnerabilities that, when chained together, would allow us to get root on the SpaceCom,” senior security researcher Philippe Laulheret told Cybercrime Magazine. “We had been really interested in thinking about, assuming an attacker is on the same network as the SpaceCom, what is the highest impact that could happen?”

Cybercrime Radio: Hacking Healthcare

Who’s attacking IoT devices

The calibration of the machine, for example, could be manipulated to make the pump think it was using tubing of a different size — causing it to deliver a medication faster than expected or more slowly than required.

“By changing the number, the pump [would be] doing the math wrong,” Laulheret said. “What’s important with these pumps is having really precise control of the speed and quantity being delivered — so of course, that leads to real impact and that can be pretty dangerous for a patient.”

Patching isn’t always straightforward

B. Braun, the world’s second-largest manufacturer of infusion pumps, “took it very seriously” and worked productively with the McAfee team to resolve the issue, delivering a patch shortly after the vulnerability was revealed.

Yet actually applying such a patch across millions of installed units — the infusion therapy market is estimated at $7.5 billion annually with 5.9 billion intravenous sets sold every year — is far from an overnight exercise.

“We talk about patching being the most important thing to secure against vulnerabilities like this,” said Steve Povolny, principal engineer and head of the ATR team, “but it’s not just patching as being able to patch and roll out quickly.”

“The medical space is really constrained due to regulation and patient safety and overarching regulatory boards that are in place for a good reason,” he continued, “but are extremely limiting as well.”

“It’s the reason we still see Windows XP machines in hospitals today — and the reason that patches can take anywhere from 30 days up to two or three years for organizations to roll out.”

Sitting ducks for compromise

Hospitals’ vulnerability to attack is exacerbated by their often-piecemeal approach to security, with various fixed and wireless networks supporting all manner of administrative and clinical devices connected to networks that often aren’t segmented correctly, or at all.

These vulnerabilities have made hospitals sitting ducks for ransomware and other attacks, with the likes of Southern Ohio Medical Center, the University Medical Center of Southern Nevada, and Alabama’s Springhill Medical Center — where, one patient alleges, disruption from a cyberattack led to operational chaos that caused the death of her baby.

A recent Ponemon Institute-Censinet survey of 597 healthcare IT security executives found that 43 percent had experienced a ransomware attack in the past two years — and a third said they had suffered more than one attack.

The consequences ranged from extending patient hospital stays, delays in procedures and tests, increase in patient transfers or diversions between facilities, and increased complications from medical procedures.

One in five respondents, however, linked ransomware attacks to increased mortality rates — a worrying development for a cybercriminal modus operandi that has traditionally been focused on financial rewards rather than malicious disruption of critical services.

Medical devices, the study also revealed, are also highly vulnerable — with just 36 percent of respondents saying they even know where all of their devices are. Just 35 percent said they know when a device’s operating system is end-of-life or out-of-date, while 29 percent said they know the non-planned expense of medical device operating system patches.

Improving the health of health security

For hackers that take the time to learn about systemic vulnerabilities in commonly used hospital systems, actually executing a target attack “is usually fairly trivial,” Povolny said, “with enough determination to get access to the network using an existing vulnerability or a misconfiguration on the network.”

Even a waiting-room games system proved to be a vulnerability, he said, recounting a recent hospital visit during which his natural curiosity gave him the potential ability to jump onto the hospital’s network.

“One of the gaming systems had a touchscreen where if you touched all four corners, it brought up an admin panel,” he recalled. “The hospital had used a default PIN to protect the device, so it took about 20 seconds to find that PIN and type it in.”

“I was able to get full admin access to all the internal networks, one of which was the devices network,” he continued. “That’s just another example of the myriad ways that attackers can get creative to find different ways into the network that are unexpected and unmonitored — and from that point is where they start to leverage these types of attacks.”

Poor network isolation and segmentation practices at hospitals “really are the major problems in the medical space that are allowing attackers to get in to execute things like ransomware attacks,” Polovny said, “and the types of attacks that we’ve published here could certainly be used for ransomware as well.”

And while the team is continuing to investigate other medical technologies — “I can’t share exactly what we’re working on,” Polovny said — medical and industrial control systems continue to operate within such a strict regulatory environment that effective change is going to be hard.

“There is such a fundamental lack of security understanding,” he said, “that unless there’s an overhaul to the security posture, and to the regulations that guide this, I don’t think we’re going to see ransomware and vulnerabilities and exploitation improve in any meaningful way.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.