Cy­ber­crim­i­nals’ next deadly tar­get: grandpa’s pace­maker

Physi­cians say when net­works go down, pa­tients are at risk.

Austin American-Statesman - - NATION & WORLD - By Tim John­son Tri­bune News Ser­vice

Cy­ber­at­tacks are ac­cel­er­at­ing world­wide and the U.S. health care sys­tem is dan­ger­ously un­pre­pared to de­fend it­self, or its pa­tients.

In the past two months, thou­sands of com­put­ers of the na­tion’s No. 3 phar­ma­ceu­ti­cal com­pany, Merck, seized up amid a global cy­ber­at­tack, cutting into pro­duc­tion of medicines. The same rogue dig­i­tal worm crip­pled a hospi­tal sys­tem north of Pitts­burgh.

From in­sulin pumps and de­fib­ril­la­tors, and on to ex­pen­sive CT scan­ners and MRI ma­chines, med­i­cal de­vices are in­creas­ingly con­nected to net­works. Pa­tient med­i­cal records are on­line. When net­works go down, physi­cians say it is like op­er­at­ing in the dark.

“It’s go­ing to get worse,” said Chris Wysopal, co­founder and chief tech­nol­ogy of­fi­cer at Ver­a­code, a Burling­ton, Mass., cy­ber­se­cu­rity firm.

Wysopal pointed to fall­out from the Wan­naCry dig­i­tal worm that swept the globe in March and the Petya mal­ware that hit in June, leav­ing col­lat­eral dam­age in the health care sec­tor.

“Ev­ery time we see some­thing suc­cess­ful like Wan­naCry and Petya, you see other ac­tors learn­ing from that rather quickly, and they are able to repli­cate that style of at­tack,” Wysopal said.

Cy­ber­se­cu­rity in the health care sec­tor — which em­ploys 9 per­cent of the U.S. work­force and rep­re­sents a sixth of the na­tion’s econ­omy — “needs im­me­di­ate and ag­gres­sive at­ten­tion,” a task force man­dated by Congress warned in June.

In­deed, se­cu­rity ex­perts ex­pect that the quick­en­ing pace of hack­ers’ at­tacks will soon af­fect health care. And those who have stud­ied health care’s spe­cific vul­ner­a­bil­i­ties worry that hack­ers — work­ing for en­emy states or cy­ber­crime groups — could train their dig­i­tal sights di­rectly on U.S. hos­pi­tals, health care net­works and med­i­cal de­vices.

“We’re go­ing to have our dig­i­tal D-Day, our cy­ber D-Day, if you will, in med­i­cal, and there’s go­ing to be pa­tients that die. It’s go­ing to be a big deal,” said Dr. Chris­tian Dam­eff, an emer­gency room physi­cian and ex­pert on cy­ber vul­ner­a­bil­i­ties.

Doc­tors like Dam­eff, who re­cently co-led a sum­mit at the Univer­sity of Ari­zona Col­lege of Medicine on med­i­cal de­vice hack­ing, are gam­ing out sce­nar­ios of types of at­tacks that could im­pact the health care sys­tem. Among the sce­nar­ios ex­perts pre­dict are pos­si­ble:

A ma­li­cious worm rock­ets through a par­tic­u­lar type of med­i­cal de­vice, say, an in­fu­sion pump, and hun­dreds, maybe thou­sands, of pa­tients col­lapse.

Hack­ers de­ter­mined to col­lect ran­som or sow de­struc­tion at­tack the net­works of hos­pi­tals in an en­tire ge­o­graphic re­gion, de­priv­ing physi­cians of elec­tronic med­i­cal records and forc­ing evac­u­a­tion of crit­i­cally ill pa­tients over hun­dreds of miles.

A terror at­tack on a metropoli­tan area co­in­cides with a hack against the city’s hos­pi­tals. Just when emer­gency med­i­cal care is most needed to deal with vic­tims, the health sec­tor finds it­self crip­pled.

Hack­ing of med­i­cal de­vices is lit­er­ally the stuff of Hol­ly­wood. In the sec­ond sea­son of the se­ries “Home­land” on Show­time in late 2012, a U.S. vice pres­i­dent is killed by ma­nip­u­la­tion of his pace­maker. A year later, for­mer Vice Pres­i­dent Dick Cheney ac­knowl­edged that he had dis­abled his pace­maker’s wire­less ca­pa­bil­i­ties to thwart any pos­si­ble as­sas­si­na­tion at­tempt.

The plot twist re­flected what se­cu­rity re­searchers had al­ready dis­cov­ered.

When Jay Rad­cliffe, an IBM se­nior threat in­tel­li­gence an­a­lyst with Type 1 di­a­betes, looked into the se­cu­rity of his own in­sulin pump, “what I found was re­ally kind of shocking.”

Op­er­at­ing re­motely, he dis­cov­ered that he could turn the pump on and off, and “I could change all the in­sulin set­tings so in­stead of giv­ing one dose of in­sulin, I would give 10 or 50.”

In short, Rad­cliffe dis­cov­ered that hack­ers tin­ker­ing with the pump could kill him.

Re­call­ing that early re­search in 2011, Rad­cliffe, speak­ing at a roundtable in Las Ve­gas at a De­fCon hacker con­fer­ence late last month, said the threat against cur­rent gen­er­a­tion in­sulin pumps is “very low” be­cause they re­quire hack­ers to be in close prox­im­ity to the de­vices and man­u­fac­tur­ers, wor­ried about fac­ing re­ports of vul­ner­a­bil­i­ties, hus­tle to up­grade se­cu­rity.

But Rad­cliffe, who now works for Rapid7, a Bos­ton cy­ber­se­cu­rity firm, said med­i­cal and sci­en­tific ad­vances con­tinue to out­pace the abil­ity of com­pa­nies to keep their de­vices se­cure.

“The mes­sage right now is, yeah, this isn’t go­ing out and kill peo­ple like on ‘Home­land.’ But it will in the next gen­er­a­tion,” Rad­cliffe said.

Still, man­u­fac­tur­ers re­sist ac­knowl­edg­ing any vul­ner­a­bil­i­ties. When St. Jude Med­i­cal, a St. Paul, Minn., maker of car­diac im­plants, was hit by short sell­ers last year over charges that its de­vices were vul­ner­a­ble to cy­ber­at­tack, it hit back with a defama­tion law­suit.

Most hos­pi­tals have a plethora of de­vices — mon­i­tors, in­fu­sion pumps, glu­cose me­ters, ven­ti­la­tors and scans — that come to an av­er­age of 10 to 15 med­i­cal de­vices per hospi­tal bed in the United States, most of them con­nected to net­works.

“All of these de­vices are con­nected to­day and they are all giv­ing read­outs of pa­tients,” said Cathie Brown, vice pres­i­dent of gov­er­nance, risk, and com­pli­ance for Im­pact Mak­ers, a Rich­mond, Va., con­sul­tancy.

Most de­vices are not in­ter­op­er­a­ble, cre­at­ing a mo­saic of soft­ware chal­lenges. Some ma­chin­ery, like CT scans and MRIs that can cost up­ward of $300,000 a piece, use older, of­ten vul­ner­a­ble soft­ware. Re­plac­ing them is out of the ques­tion for cash-strapped hos­pi­tals.

Even large hos­pi­tals de­vote lit­tle to cy­ber­se­cu­rity, of­ten hav­ing only one tech or two who work with man­u­fac­tur­ers to do up­grades but tend lit­tle to broader se­cu­rity is­sues.

“Many hos­pi­tals are in­ter­con­nected now. And so an at­tack could be launched at one hospi­tal, code could be planted, ly­ing dor­mant, un­til a kill switch went off, and it would spread like wild­fire,” Brown said.

A hack­ing group may even­tu­ally seek to tar­get a net­work of hos­pi­tals.

“Cy­ber­at­tacks are very scal­able. You can go from one hospi­tal to 500 hos­pi­tals with much less ef­fort than it takes to at­tack 500 hos­pi­tals phys­i­cally,” said Dam­eff, the physi­cian. “You can see that these risks, they ex­plode.”

The May 12 Wan­naCry ran­somware at­tack — which locked down some 150,000 com­put­ers around the world _ had a calami­tous im­pact on Bri­tain’s Na­tional Health Ser­vice, knock­ing out 48 hos­pi­tals and clin­ics for days.

In a mass out­age af­fect­ing hos­pi­tals in a re­gion, de­lays in care would af­fect not just high-risk heart and stroke pa­tients but also po­ten­tially thou­sands of other pa­tients with con­di­tions such as al­ler­gies whose elec­tronic med­i­cal records were sud­denly un­avail­able to physi­cians.

“If the elec­tronic med­i­cal record went down, and this pa­tient was in a coma in the ICU and I didn’t have any phys­i­cal pa­per doc­u­men­ta­tion of his al­ler­gies, which is of­ten the case now ... then I could in­ad­ver­tently ad­min­is­ter a med­i­ca­tion that a pa­tient is al­ler­gic to,” Dam­eff said.

He added: “In a dis­as­ter sit­u­a­tion, we would have dozens and dozens of these types of events, all of which would im­pact pa­tient mor­tal­ity.”

The re­al­iza­tion that cy­ber­at­tacks can have such broad im­pact in the health care sec­tor may be an­i­mat­ing cy­ber crim­i­nals.

“Some of these at­tacks are like ring­ing the din­ner bell for ad­ver­saries,” said Beau Woods, deputy di­rec­tor of the Cy­ber State­craft Ini­tia­tive at the At­lantic Coun­cil, a think tank in Washington. “Once they know they can and it’s that easy, at that point it be­comes a race.”


An MRI (mag­netic res­o­nance imag­ing) ma­chine scans a pa­tient at Toshiba Amer­ica Med­i­cal Sys­tems MR Re­search Cen­ter in Irvine, Calif.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.