Researchers have turned up more than 1,400 vulnerabilities in a widespread medical product dispensing cabinet system from CareFusion, because old units are still running Windows XP. IT Security Experts from PRPL Foundation, Lieberman Software, ESET, MWR and Tripwire provide insight and advice on the issue:
Cesare Garlati, Chief Security Strategist, PRPL Foundation:
“With the healthcare IoT market set to be worth $117bn by 2020, according toMarketResearch.com, there’s an increasing need for manufacturers to reengineer vital systems to ensure they can’t be misused. A major factor affecting all challenges is complexity: IoT systems are extremely complex with many “moving parts.” A vulnerability that may affect one device used in a particular context might not affect equivalent devices from other manufacturers. At this early stage of IoT development, it is important for stakeholders to be vigilant in analyzing systems and subsystems for potential vulnerabilities, especially in healthcare environments where lives are most vulnerable.
“Unfortunately, many manufacturers do not update in a timely manner – even when notified by security researchers. Delays often occur due to the complexity of coordinating changes between various teams and code bases throughout the supply chain. A more serious and fundamental factor is that firmware is rarely cryptographically signed, meaning that an attacker could in theory replace it with new software of their choosing. This is akin to handing criminals a key and allowing them to replace the lock. Chip firmware in IoT devices should be updateable, but not in a way that allows anyone with the right set of skills to re-flash it with their own code.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Specialty machines have always been a big part of healthcare, manufacturing, and construction. A healthcare organization may make the capital investment in a machine and then run it as long as it keeps working. As every new specialty machine ends up connected to the network, we are creating a whole zoo of beasts with outdated, un-patchable software that is simply begging bad guys to come exploit them.
There are only two things one can do to improve security for specialty hardware. First, you must know what you have. It sounds silly but half the battle is simply tracking what is on the network so you know your potential risk. Second, you must automate the security measures that are possible. For example, you can likely still regularly rotate the Alistair credentials for these specialty devices even after their software is out of date or end of life.
Just because something is a good idea doesn’t mean you can make money doing it. Often companies pop up with an innovative technology like a specialty machine, but fold quickly because of simple economics. The hospital that bought the useful device has practical reasons to keep using it that may, in their view, outweigh the risk of bad guys using it to attack the network. Like so many other security conversations, the question of continuing to use vulnerable devices in healthcare is one where you’re forced to measure business value now versus potential IT risk in the future.”
Rob Miller, Head of OT Security at MWR:
“Attackers of a system will often use known weaknesses in systems rather than invest time and money in finding new weaknesses. This is why software vendors will always recommend patching so that customers use versions of their software that have fixed these weaknesses. The issue with using unsupported products is that this cycle of patching cannot continue, potentially providing the attacker with an open door.
With medical organisations now becoming the focus of certain groups of attackers, this causes an issue for system administrators who may have no choice but to run such systems in a network that hold valuable assets such as patient records.
Many IT professionals wrongly assume that nothing can be done with an unsupported system that has known vulnerabilities. It is important to consider prevention as just one step in running a secure system. Prevention should not only should rely on good patch management, but also limit access to critical systems through network design and user authentication. The other steps to good security are detection and response. Even with patched systems it may be possible for an attacker to gain access. The ability for an administrator to be alerted unusual behaviour, and to know what to do with such information is critical to reducing the threat to a system.”
Lamar Bailey, Sr. Director, Security R&D at Tripwire:
“Securing outdated and unsupported equipment in every industry is a major problem but remote compromise to a device containing high powered drugs is a new, very dangerous twist. These drug dispensing units revolutionized the storage and accessibility of drugs for healthcare staff. These devices are found on every floor of a hospital and allow caregivers access to needed drugs in minutes thus replacing the need to travel to a central hospital pharmacy to have items manually filled.
The units track dosage and patient information to help insure no one is over dosed and this inventory control system cuts down on theft and triggers refills as need to keep the cabinets stocked. All this functionality is available because the systems are connected to a network so they must be treated as computer assets. The problem lies in the fact that they are rarely patched and their support lifespan can be short and unknown because companies want to roll out new models quickly to increase revenue.
If an attacker exploits one of these systems and changes the dosage or medicine for a patient it could cause extreme physical harm. Hospitals need to understand that any machine that plugs into a network is a computer of some kind so they should be asking vendors how often they update the systems for security issues and know that the end of support date is the drop dead date for removing these systems from the network.
Budgets need to be in place to replace aging systems before they are out of support. Vendors need to understand that any device that connects to a network must be secured and updated on a timely basis. We are seeing many cases where security is an after-thought in many devices sold today and some vendors would rather release a new version instead of updating current versions, this needs to change, especially in the consumer area. Vendors need to publish a well-defined lifecycle to keep their devices updated and secure.”