Crime syndicates are hacking devices to steal private medical information for profit

Hospira's LifeCare PCA Infusion System, which the Department of Homeland Security has warned is vulnerable to cyberattacks--Courtesy of Hospira

At least in the device world, the potential for a malicious, targeted, even fatal cyberattack against a patient's infusion pump or other device is well known, thanks to the efforts of "white hat" hackers like Billy Rios. Less talked about are ongoing nefarious cyberattacks against devices intended to steal private medical information.

By installing replicas of medical devices at more than 60 hospitals, cybersecurity firm TrapX Security has demonstrated the presence of shadowy groups who are hacking devices to steal valuable personal medical information and sell it on the black market, Bloomberg reports.

TrapX followed the electronic trail left by the hackers on the operating system of the fake CT scanners, and it led them to a server in Eastern Europe, which the firm believes is controlled by Russian crime syndicate, the article says.

The data stolen includes Social Security numbers, addresses, dates of birth, names of relatives, medical histories, which can be used to commit insurance fraud; such information is worth 10 times more than a credit card number on the black market.

The presence of hackers out to steal personal medical information using medical devices as a conduit is not unknown.

"These are people who literally create lists of people with STDs, who are pregnant, with Alzheimer's disease, who are obese," said Alvaro Bedoya, executive director of the Center on Privacy and Technology during a roundtable discussion on cybersecurity in Washington, DC, earlier this year. "And we don't know what these folks do with this data, and they exploit various loopholes in laws that regulate insurance. Right now it's not as lively a market as it might be, but I'm worried about that becoming a bazaar of maladies."

A popular technique for gaining access to the hospital network is "spear phishing," the article says, or bugged e-mails that appear to come from people known by their recipients.

All in all, TrapX concluded that all of the hospitals had devices infected with malware after 6 months of the experiment, including radiology machines used for imaging and blood gas analyzers. So-called ransomware was found on the devices; the bug Citadel restricts access to machines, enabling hackers to demand ransom for access to computers (or computerized devices).

It has not yet been used to disable medical devices, but has been used against personal computers and patient databases in the U.S. and Australia, according to Bloomberg.

"These medical devices aren't presenting any indication or warning to the provider that someone is attacking it, and they can't defend themselves at all," said Carl Wright, general manager of TrapX in the article.

Indeed, what's striking is that the computers at the nurses' station were "quickly scrubbed" by antivirus software, but the devices were vulnerable, in part because they used old operating systems like Windows XP or Windows 2000.

The article also profiles the pioneering work on medical device cybersecurity by former Marine Billy Rios. His demonstration of the ease of remotely controlling infusion pumps, led to the FDA to issue its first-ever cyber security advisory urging hospitals to discontinue use of Hospira's Symbiq infusion pump (but only after lots of prodding). As such, Hospira had already stopped manufacturing the model for other reasons, and many believe the FDA action was a "hollow victory," the article says.

Experts like University of Michigan professor Kevin Fu have been unimpressed by Hospira's response to their revelation about the poor cybersecurity of its pumps. After Rios complained of inaction at the firm in July, Fu wrote in an email to FierceMedicalDevices that, "At the very bottom, there are a small number of companies such as Hospira that I've never seen participate at the cybersecurity standards meetings like the other manufacturers, and in my opinion their executives are in shameful denial about cybersecurity risks. You can tell someone that their fly is down, but denial just means we can still see your junk."

In addition to other infusion pumps like Hospira's LifeCare PCA (and likely those made by other companies), the problem extends to various devices, including items as far afield as medical cabinets. The Bloomberg article describes how Rios successfully opened electronically "protected" drawers full of medications using a generic hard-coded password.

He did so while hospitalized for a condition (which ironically enough, required the use of an infusion pump), but said he didn't touch any of the medications. The article cites one doctor who said enhanced security at the cabinets using finger print scans is highly inconvenient and costs valuable time because doctors often wear gloves, neatly demonstrating the challenges and tradeoffs of securing devices of all sorts.

Rios has been accused of fear mongering at industry forums, for there are no known instances of a cyberattack against a medical device that's directly resulted in death or injury. But Fu thinks such an occurrence will inevitably occur someday, and worries that it could result in a devastating loss of confidence in the device industry and medical technology.

Rios has no plans of letting up his advocacy for device cybersecurity, Bloomberg reports. He's trying to create a "lending library" to obtain and test the cybersecurity of expensive medical equipment like CT scanners.

Meanwhile the government's internal watchdog, the Office of the Inspector General, said in its recently released FY 2016 agenda that it will "examine whether FDA's oversight of hospitals' networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety."

- read the Bloomberg article