HACKERS holding the NHS to ransom
Cancelled ops. Paralysed hospital car park barriers. And pacemakers that could be hijacked. Chilling menace of the...
Having your operation cancelled because of a bed shortage or an infection on the ward is something patients dread but, these days, have learned to expect. However, patients in three north Lincolnshire hospitals were recently offered a very different excuse: hackers had brought down the trust’s computer system, forcing the cancellation of all appointments for two days. Even car park barriers were affected, and the hospitals had to resort to pen and paper.
The network had been taken over by a malicious virus which encrypted files: the hackers demanded a ransom to unlock them. The trust didn’t pay, but the computer system had to be shut down to remove the virus.
While the trust declined to say how the ransomware had infiltrated its system, cybersecurity experts say the most common way in is through an apparently innocent email with a link sent to staff.
Clicking on the link downloads the malicious software onto the computer, then it spreads to others on the network.
The Lincolnshire hospitals were merely the latest to fall victim to the trend. Just this month, Barts Health Trust (which runs five hospitals in London) was hit.
Fortunately, the trust was able to contain the ransomware virus, but it emerged recently that, in the past year, 28 other trusts had suffered similar attacks. The nHS insists no ransom money has been paid, but others have coughed up: last year, a hospital in Los angeles admitted it had paid $17,000 to ransom hackers.
Businesses and hospitals are increasingly being targeted by criminals in this way, says Raj Samani, chief technical officer at intel Security, a global computer security software company in California.
The ‘darknet’, the hard-to-access underbelly of the internet, is home to a thriving black market, where ‘one can buy around 5,000 email addresses for about £5 and, inevitably, some people will click on the link in the email sent by the hacker and infect their institution’s computers with ransomware’, he told good Health.
The number of ransomware programs detected by intel has escalated from just ten in January 2016 to the ‘many hundreds’ circulating today.
nHS trusts are vulnerable because so many people are linked to their networks.
The only defence is to ensure everything on your system is constantly backed up, says Mr Samani. if you are hit, every computer must be disconnected from the network and swept for the ransomware, before the whole system can be rebooted. This is hugely time-consuming.
BuT it’s not just cancelled operations that are the risk — cybersecurity experts fear it is only a matter of time before such attacks hit vital equipment, such as the machines used to communicate over the internet with remote pacemakers.
Every year, tens of thousands of nHS patients have pacemakers and similar devices implanted in their chests: the matchbox-sized marvels of modern technology are life-savers that keep hearts beating normally.
implanted under the skin near the collarbone, the modern pacemaker is a miniature computer.
Running its own software, it’s so smart that, as well as keeping a dicky ticker pumping efficiently, it can also transmit information about a patient’s condition to their doctor via the internet, sounding the alarm when something’s amiss.
There are 35,000 pacemakers fitted in the uK each year, and a further 13,000 implantable cardioverter defibrillators (iCDs) — which are similar, but also capable of delivering a life-saving shock.
However, there is mounting evidence that the very ingenuity of these devices may be a deadly achilles heel. according to an expert report seen by good Health, one of the systems most commonly used by the nHS is vulnerable to hacking.
The shocking report, by global cybersecurity firm Bishop Fox, claims one of the home monitors commonly used in the nHS can easily be hacked to become ‘a weapon that can be used to attack patients with implanted . . . cardiac devices’.
Exploiting ‘a relatively easy to discover . . . back-door key’ in the software, an unscrupulous hacker could use the monitor to drain a pacemaker’s battery, turn the device off or, in the case of an iCD, even cause it to deliver a heart-stopping shock.
Experts fear cyber attackers could make use of a specialist online search engine called Shodan, where you can find medical devices connected to the internet, such as MRi scanners and insulin pumps.
although a legitimate search engine, useful for tracking the growth of the so-called ‘internet of things’, ‘it can be used for malicious purposes’, says Mr Samani. ‘it helps you identify vulnerable devices, which, quite frankly, shouldn’t be connected to the internet.’
Many hospitals, he says, are keen to use network equipment, but are ignorant of the risks.
now, cybersecurity researchers say they have exposed just how vulnerable pacemakers and iCDs connected to the internet can be.
Most of the devices used by the nHS are supplied by three u.S. manufacturers. Last august, cybersecurity company MedSec revealed it had conducted an investigation into the security of devices made by one of these firms, St Jude Medical.
Patients fitted with St Jude’s smart pacemakers and iCDs are now commonly also supplied with its Merlin@home bedside monitoring units, which wirelessly collect information and transmit it to their doctor. in their surgeries, doctors have programmers with which they can wirelessly alter the pacemaker’s settings when a patient is close by.
MedSec said it had identified ‘significant vulnerabilities’ in this system, which could be exploited by even ‘low-level hackers . . . to cause implanted devices to malfunction and harm users’. MedSec then approached an investment firm with this information — and now, St Jude Medical is suing both MedSec and the investment firm, claiming they had ‘intentionally disseminated false and misleading information in order to lower the value of St Jude Medical’s stock and wrongfully profit from a drop in share value’.
But a report by Bishop Fox, commissioned for the defence case, appears to back up the original claims. Bishop Fox concludes that, in the wrong hands, the Merlin@ home monitor could be used ‘to reprogram and issue . . . commands to pacemakers and iCDs’, to drain batteries, turn devices off, or even deliver a heart-stopping fatal ‘T-wave shock’ — causing the heart to quiver, instead of pumping. ‘The security measures i observed do not meet the requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients,’ wrote Carl Livitt, an expert ‘penetration tester’ with Bishop Fox, who specialises in hacking computer systems for biomedical industries and has advised uK police and counter-terrorism agencies. Worryingly, Livitt added, the way St Jude Medical cardiac devices were set up to communicate with each other ‘has serious security vulnerabilities that make it possible to convert Merlin@ home devices into weapons’. in the uK, the body that regulates medical devices, the Medicines and Healthcare Products Regulatory agency (MHRa), says that, while it was ‘aware of the potential for cybersecurity attacks’, there had been ‘no uK reports of any incidents involving medical devices’. There was a ‘theoretical risk’, but the chance of that happening ‘appears to be infinitesimally small’. The organisation responsible for helping trusts beef up their cybersecurity, nHS Digital, only launched schemes to improve this last September, and is still in the throes of recruiting ‘early adopters’. not a moment too soon — St Jude Medical may not be the only manufacturer whose implantable devices could be vulnerable. Last month, a team of British and Belgian researchers revealed they had been able to crack the security of a device programmer and the latest generation of a widely used iCD (they did not reveal the name of the manufacturer or iCD model).
THEy were able to make the device fail and use it to steal sensitive information about the patient. ‘all these attacks,’ they reported in a paper to the 32nd annual Conference on Computer Security applications in Los angeles, ‘can be performed without needing to be in close proximity to the patient.’
The researchers now plan to work with the manufacturer involved ‘to improve the security of these medical devices’, one of the authors, Eduard Marín, a computer cryptography expert at the Catholic university of Leuven, Belgium, told good Health. He added that the problems the researchers identified were almost certainly more widespread.
Dr Francis Murgatroyd, a cardiologist at King’s College Hospital, said while any potential security breach needs to be ‘thoroughly investigated’, the ability to monitor patients in their homes was ‘a great advance and . . . has saved lives’.
He adds: ‘The ability to change the active settings of a pacemaker or defibrillator remotely is not currently a feature of home monitoring.’ That’s what St Jude Medical says, too.
But according to Bishop Fox, that claim is ‘demonstrably false . . . We verified the Merlin@home device can reprogram and issue . . . commands to pacemakers and iCDs’.
St Jude declined to comment because of the ongoing legal action. But a spokesperson said the company ‘takes cybersecurity very seriously’ and was ‘continually reassessing and updating our devices and systems...for example, we had seven software updates in just the last three years to Merlin@home’.
But clearly, St Jude has been shaken. in October, it announced it was ‘forming a Cyber Security Medical advisory Board to advise us as we continue to advance cybersecurity standards in the medical device industry by working with experts and government agencies’.
Mark James, of global internet security company ESET, says there is ‘a mad dash to connect everything to the internet, from the lighting in your home to a wifi-connected kettle, which you can turn on from your smartphone. But there are certain things we need to keep segregated’.
He adds: ‘asking software to turn on the lights in your home is one thing. But asking it to check something inside your body is a completely different ball game.’