Imagine you're having a CT scan and malware alters the radiation levels – it's doable

WannaCry was a wake-up call for healthcare, but the sector is still terribly vulnerable to attack


As memories of last May's WannaCry cyber attack fade, the healthcare sector and Britain's NHS are still deep in learning.

According to October's National Audit Office (NAO) report (PDF), 81 NHS Trusts, 603 primary care organisations and 595 GP practices in England and Wales were infected by the malware, with many others in lockdown, unable to access patient data.

WannaCry's upshot was to lock staff out of Windows computers, a bad way to learn the lesson that failing to patch old kit has consequences. But there was another, less obvious discovery: medical imaging devices (MIDs) such as Magnetic Resonance Imaging (MRI), Computed Tomography (CT) scanners, and digital imaging and communications (DICOM) workstations were badly disrupted, with serious knock-on effects for hospital workflow even when other systems had been restored.

In today's NHS, and healthcare generally, MIDs matter out of all proportion to their numbers, with some hospitals relying on perhaps half a dozen to cope with large volumes of disease, cancer and pre and post-op operation diagnostics. "It's hard to imagine life without them," a hospital consultant who wished to remain anonymous told The Register.

Costing anything from £150,000 for smaller CT scanners to millions for the latest MRI designs, these turn out to be difficult to defend. Many in the NHS are controlled through applications run from vulnerable Windows XP or 7 PCs, the former reacting to WannaCry by blue-screening, effecting an inadvertent denial-of-service.

As the NAO noted: "This equipment is generally managed by the system vendors and local trusts are not capable of applying updates themselves." The UK's health sector security hand-holders NHS Digital confirmed to the NAO that manufacturer support was often poor, leaving trusts with few defensive options beyond isolating scanners from internal networks in ways that made accessing imaging data impractical.

Denial-of-Scanning

As far as anyone knows, WannaCry's makers did all of this without even meaning to. What if they had set out to take down a hospital, or attack MIDs in a calculated way? The possibilities turn out to have been alarmingly underestimated.

For May Wang, co-founder and CTO of US IoT security firm ZingBox, the proof-of-concept attack on healthcare was Conficker in 2008, not WannaCry in 2017.

"You don't hear about it but the impact of Conficker is actually bigger," says Wang. "But because not everybody is reporting it, we don't see that much impact in public."

It's a staggering thought: almost a decade after it infected hospitals around the world, including 800 PCs at a teaching hospital in Sheffield, a worm targeting a vulnerability in an obsolete version of Windows is still on healthcare's to-do list.

ransomware

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

Researching the security of medical devices in 50 US hospitals, ZingBox discovered that, sure enough, MIDs contributed half of the high-risk security issues. The underlying cause? Almost all of these systems were being controlled through Windows workstations, often flaw-ridden versions going back to XP and even 98, which reflects the age of the scanning hardware.

"Because they're using a full-blown OS, they have the capability to use a browser, download applications and to do lots of thing you are not supposed to do on an OS controlling an X-ray machine."

In the US at least, hospitals often try to partially isolate MIDs on VLANS, a strategy which quickly degrades as more devices are plugged into the same network segment.

ZingBox found that only a quarter of the devices on VLANs were medical in nature with the remainder made up of PCs, printers, and mobile devices, all vulnerable to malware that could use them as a staging post to reach MID workstations.

Compounding this is the way the number of connected and IoT-enabled medical devices is growing faster than bio-medical IT staff can keep up, says Wang. In many cases, hospitals don't even audit these devices, which makes protecting them hypothetical.

Ambulance chasing

Noticing the same vulnerabilities as ZingBox, researchers at Ben-Gurion University of the Negev in Israel decided to test out their hunch that MIDs could even be attacked directly by targeted malware.

The team's preliminary findings were published in a report (PDF) in February, which identified CT scanners as the number-one risk. These expose patients to defined amounts of radiation, a setting controlled using a configuration file whose parameters are set from a workstation application.

The EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it.

"This file is basically a list of instructions that the control unit gives to the CT in order to tell it how exactly to perform the scan, including how to move the motors, the duration, the radiation levels and more," says Tom Mahler, one of the report's lead authors.

"By manipulating these files, an attacker can potentially control exactly how the CT will work. This could be very dangerous and lead to radiation overdose, injury and possibly death."

Alternatively, attackers could attempt to mix up the scanning results, "causing mistreatment to the patient or vice versa". In neither example would the CT operator necessarily be aware that something was awry.

Although MIDs from different manufacturers use custom scanning applications, tailoring an attack for any one of these would not be difficult, confirms Mahler.

Having tested 23 different proof-of-concept attacks on MIDs in a simulated environment, Mahler and colleagues bioinformatics expert Professor Yuval Shahar, cyber security expert Professor Yuval Elovici, and and senior researcher Dr Erez Shalom have promised to demo at a security conference during 2018.

The research predates WannaCry, but that malware's appearance served as a giant finger pointing to the weak protection of MIDs and medical devices in general.

"This attack demonstrated how quickly the development of cyber attack could be – the EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it."

NHS hosptial photo, by Marbury via Shutterstock

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

READ MORE

Adding weight, the research was conducted in conjunction with Israel's largest healthcare provider, Clalit Health Services, whose head of imaging informatics is Dr Arnon Makori, who believes, if anything, that WannaCry has been underplayed.

"It was a global wake-up call for the whole healthcare world. I believe the impact was significantly higher than reported and many more devices and systems were affected," he told The Register.

Makori blames a "lack of awareness by the manufacturing companies, conservative operating systems and device architecture and cost benefit considerations" that will only be fixed with "a whole new cybersecurity strategy".

IoT infusion

The risks aren't limited to MIDs, and recent ZingBox research outlines a load of security holes in the design of one brand of IoT-enabled infusion pump, a ubiquitous medical device used to deliver fluids into patients at their bedside.

Hard-coded credentials that could be changed at will, lousy encryption, even the ability to splash a ransom message explaining that the device had been locked – you name it, it's all there.

That means, when we talk about healthcare security, we're mainly talking about information leakage. And in this particular field, we're actually talking about life and death, about interruptions of operations and patient safety, according to ZingBox.

What Wang and Mahler have uncovered is like a version of the panic over SCADA vulnerabilities in power stations – but worse.

"Medical devices are extremely valuable. You can ransom a person's files and it is inconvenient. If you ransom a person's life you will probably get as much money as you want," says Mahler. ®

Narrower topics


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022