Security

Imagine you're having a CT scan and malware alters the radiation levels – it's doable

WannaCry was a wake-up call for healthcare, but the sector is still terribly vulnerable to attack

63 Got Tips?

As memories of last May's WannaCry cyber attack fade, the healthcare sector and Britain's NHS are still deep in learning.

According to October's National Audit Office (NAO) report (PDF), 81 NHS Trusts, 603 primary care organisations and 595 GP practices in England and Wales were infected by the malware, with many others in lockdown, unable to access patient data.

WannaCry's upshot was to lock staff out of Windows computers, a bad way to learn the lesson that failing to patch old kit has consequences. But there was another, less obvious discovery: medical imaging devices (MIDs) such as Magnetic Resonance Imaging (MRI), Computed Tomography (CT) scanners, and digital imaging and communications (DICOM) workstations were badly disrupted, with serious knock-on effects for hospital workflow even when other systems had been restored.

In today's NHS, and healthcare generally, MIDs matter out of all proportion to their numbers, with some hospitals relying on perhaps half a dozen to cope with large volumes of disease, cancer and pre and post-op operation diagnostics. "It's hard to imagine life without them," a hospital consultant who wished to remain anonymous told The Register.

Costing anything from £150,000 for smaller CT scanners to millions for the latest MRI designs, these turn out to be difficult to defend. Many in the NHS are controlled through applications run from vulnerable Windows XP or 7 PCs, the former reacting to WannaCry by blue-screening, effecting an inadvertent denial-of-service.

As the NAO noted: "This equipment is generally managed by the system vendors and local trusts are not capable of applying updates themselves." The UK's health sector security hand-holders NHS Digital confirmed to the NAO that manufacturer support was often poor, leaving trusts with few defensive options beyond isolating scanners from internal networks in ways that made accessing imaging data impractical.

Denial-of-Scanning

As far as anyone knows, WannaCry's makers did all of this without even meaning to. What if they had set out to take down a hospital, or attack MIDs in a calculated way? The possibilities turn out to have been alarmingly underestimated.

For May Wang, co-founder and CTO of US IoT security firm ZingBox, the proof-of-concept attack on healthcare was Conficker in 2008, not WannaCry in 2017.

"You don't hear about it but the impact of Conficker is actually bigger," says Wang. "But because not everybody is reporting it, we don't see that much impact in public."

It's a staggering thought: almost a decade after it infected hospitals around the world, including 800 PCs at a teaching hospital in Sheffield, a worm targeting a vulnerability in an obsolete version of Windows is still on healthcare's to-do list.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

Researching the security of medical devices in 50 US hospitals, ZingBox discovered that, sure enough, MIDs contributed half of the high-risk security issues. The underlying cause? Almost all of these systems were being controlled through Windows workstations, often flaw-ridden versions going back to XP and even 98, which reflects the age of the scanning hardware.

"Because they're using a full-blown OS, they have the capability to use a browser, download applications and to do lots of thing you are not supposed to do on an OS controlling an X-ray machine."

In the US at least, hospitals often try to partially isolate MIDs on VLANS, a strategy which quickly degrades as more devices are plugged into the same network segment.

ZingBox found that only a quarter of the devices on VLANs were medical in nature with the remainder made up of PCs, printers, and mobile devices, all vulnerable to malware that could use them as a staging post to reach MID workstations.

Compounding this is the way the number of connected and IoT-enabled medical devices is growing faster than bio-medical IT staff can keep up, says Wang. In many cases, hospitals don't even audit these devices, which makes protecting them hypothetical.

Ambulance chasing

Noticing the same vulnerabilities as ZingBox, researchers at Ben-Gurion University of the Negev in Israel decided to test out their hunch that MIDs could even be attacked directly by targeted malware.

The team's preliminary findings were published in a report (PDF) in February, which identified CT scanners as the number-one risk. These expose patients to defined amounts of radiation, a setting controlled using a configuration file whose parameters are set from a workstation application.

The EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it.

"This file is basically a list of instructions that the control unit gives to the CT in order to tell it how exactly to perform the scan, including how to move the motors, the duration, the radiation levels and more," says Tom Mahler, one of the report's lead authors.

"By manipulating these files, an attacker can potentially control exactly how the CT will work. This could be very dangerous and lead to radiation overdose, injury and possibly death."

Alternatively, attackers could attempt to mix up the scanning results, "causing mistreatment to the patient or vice versa". In neither example would the CT operator necessarily be aware that something was awry.

Although MIDs from different manufacturers use custom scanning applications, tailoring an attack for any one of these would not be difficult, confirms Mahler.

Having tested 23 different proof-of-concept attacks on MIDs in a simulated environment, Mahler and colleagues bioinformatics expert Professor Yuval Shahar, cyber security expert Professor Yuval Elovici, and and senior researcher Dr Erez Shalom have promised to demo at a security conference during 2018.

The research predates WannaCry, but that malware's appearance served as a giant finger pointing to the weak protection of MIDs and medical devices in general.

"This attack demonstrated how quickly the development of cyber attack could be – the EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it."

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

READ MORE

Adding weight, the research was conducted in conjunction with Israel's largest healthcare provider, Clalit Health Services, whose head of imaging informatics is Dr Arnon Makori, who believes, if anything, that WannaCry has been underplayed.

"It was a global wake-up call for the whole healthcare world. I believe the impact was significantly higher than reported and many more devices and systems were affected," he told The Register.

Makori blames a "lack of awareness by the manufacturing companies, conservative operating systems and device architecture and cost benefit considerations" that will only be fixed with "a whole new cybersecurity strategy".

IoT infusion

The risks aren't limited to MIDs, and recent ZingBox research outlines a load of security holes in the design of one brand of IoT-enabled infusion pump, a ubiquitous medical device used to deliver fluids into patients at their bedside.

Hard-coded credentials that could be changed at will, lousy encryption, even the ability to splash a ransom message explaining that the device had been locked – you name it, it's all there.

That means, when we talk about healthcare security, we're mainly talking about information leakage. And in this particular field, we're actually talking about life and death, about interruptions of operations and patient safety, according to ZingBox.

What Wang and Mahler have uncovered is like a version of the panic over SCADA vulnerabilities in power stations – but worse.

"Medical devices are extremely valuable. You can ransom a person's files and it is inconvenient. If you ransom a person's life you will probably get as much money as you want," says Mahler. ®

Sign up to our NewsletterGet IT in your inbox daily

63 Comments

Keep Reading

Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware'

Picked up xHelper 'matryoshka' trojan? Best to just nuke the site from orbit

Fret not, Linux fans, Microsoft's Project Freta is here to peer deep into your memory... to spot malware

Shining a Rust-based forensic light into the darker corners of images

Researchers reckon 500k PCs infested with malware after dodgy downloads install even more nasties from Bitbucket

That 'free' Adobe or Microsoft software isn't all it's cracked up to be, eh?

Typosquatting RubyGems laced with Bitcoin-nabbing malware have been downloaded thousands of times

'Seemingly no transactions were made' but problem highlights risks of software supply chain

Microsoft uses its expertise in malware to help with fileless attack detection on Linux

Aw, how generous

Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

More than 3,500 folks' payment info quietly stolen

Russia-backed crew's latest malware has discerning taste – when screening visitors to poisoned watering holes

Previously unseen nasty spotted lurking in Armenian government websites

In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware

Nork cash grab nasty gets stealthier

New year, old threats: Malware peddlers went into overdrive in Q1, says Trend Micro

Jan and Feb contained bumper load of fake invoice emails

B-but it doesn't get viruses! Not so, Apple fanbois: Mac malware is growing faster than nasties going for Windows

So says Malwarebytes, anyway

Tech Resources

The Cloud: How CISOs Can Embrace It (Wisely), Not Fear It

Cloud computing is one of the great transformational shifts in corporate information technology.

SANS 2019 Threat Hunting Survey

Threat hunting is a proactive approach to identifying signs of an attack, as opposed to the reactive approach security operations centre analysts follow.

Latency is the New Outage

More organizations are tying their future success to digital and online business.

How to Achieve AWS, Azure, or GCP Observability at Scale

The adoption of multi-cloud is on the rise among enterprises.