Insecure medical equipment protocols let attackers spoof diagnostic information

Originally published at: https://boingboing.net/2018/08/15/cleartext-udp.html

1 Like

Healthcare techy person here - this is probably not going to be a big deal, with one major exception: if someone decides to use this as a feature in some really goddamn scary ransomware.

You’d just have to implant it on one device that’s connected to the same network as the monitors. I should point out here that I have never seen these monitor systems physically locked down, mostly because they have to be in highly-visible areas. Otherwise there’s not much point, y’know? (And besides, I can all but guarantee that these can be accessed remotely; hospital networks are very poorly locked down)

But anyway, imagine a software that actively and randomly spoofs vitals and heart rhythms. It’d be an absolute disaster, especially in ICUs where people are trained to respond quickly and decisively to these shifts. In many places, you’d carefully adjust some drip (that has a very narrow therapeutic range) based on those monitors only seconds or minutes after seeing a change, and then adjust more if the patient’s not responding to it. You could kill a bunch of people in minutes or hours just by futzing with those areas.

And so you could really have a hospital over a barrel if you loaded this ransomware on their network; where you can take time to consider and respond to a handful of ransom’d workstations, you’d be forced to respond almost instantly to give in to attacker demands, no matter the cost, if they were threatening to murder people if you didn’t - and the family could probably sue the hospital, and win, if they refused to do so. Because it’s their fault for not locking their systems down, after all.

6 Likes

I hope this kind of attack never happens to a radiation therapy machine.

1 Like

Surely spoofing diagnostic data is a Munchausen in the middle attack?

4 Likes

2 Likes

My first I.T. management gig was maintaining a Meditech system running on Data General mini computers and then HIS on AS/400. Sure, that was a while ago but what’s been going on since? Why are hospitals running Windows based clinical systems? Has medical IT become so lax and lazy that people are approving the OS with the largest attack surface to run their hospitals? And while I’m asking, why are monitoring systems being attached to a LAN? Did ANSI based terminal interfaces stop working? It’s sounding like the quality and state of clinical/medical IT has really declined.

Short answer? Hospital IT needs expanded beyond that, and any vendor willing to support the very obscure mix of technologies that would cover all of a hospital’s needs (think pharmacy databases and how they have to talk to any other pharmacy, physician order entry systems that have to be able to connect to remote systems like the doctor’s home and office workstations regardless of what they’re running, purchasing and inventory management systems and how those need to be able to be interoperable…) would charge so much for the weirdo, super-custom stuff you’d need (and probably introduce a ton of security holes by accident when making it) to make older tech work for today’s needs that it’d be cheaper to get off-the-shelf and then just pay a security company half that to lock your stack down six ways from Sunday.

If you want to invest the money, you can secure the shit out of Windows and your network. But then you need really strong policies and be willing to spend the money to do so, and need to compete against other businesses for people that are able to build and maintain that kind of environment, all of which is very expensive and very hard to explain to a CEO without a technical background (or a COO that gets 100% of his or her technical knowledge from trade show leaflets, or even more commonly is just taking kickbacks from bargain-basement vendors).

So hospitals will, by and large, remain insecure against a dedicated attacker. Too many attack surfaces, too many 3rd-party systems, too many people with access to all of these attack points. The only systems I’ve seen that are decently locked down are military hospitals, and about 90% of the reason that’s the case is a combination of them piggybacking on the DOD’s economy of scale for security, and them spending a shitload of money to do so because “fuck it, it’s taxpayer dollars”.

1 Like

Did the industry not adopt HL7? That inteface allows any clinical system to talk to any other clinical system via whatever connection method you choose.
Meditech has inventory management and purchasing modules and allows remote connection for clinics. HIS has all of that as well. I guess I just don’t see a use for Windows and PC based architecture when the mini computer market is so robust.

HL7 is a fine protocol, and if you can find me a single major vendor that implements it fully and properly across their product line, I’ll happily buy you a beer.

Sadly, most all of them took notes from Microsoft, where once they become a major player, they try to create ecosystem lock-in by subtly breaking shit in a way that forces the upstream and downstream guys to code for their particular brokenness, which itself is more or less a way to make it more expensive to adopt a competitor’s product, because then that company’s product doesn’t work quite right, and requires, at a minimum, a secondary HL7 parser that makes the broken shit work right with the other company, and that’s expensive, so… Yeah.

Is this a downsizing of hospital IT? Even in a small hospital running Meditech we had a helpdesk tech, a manager (me), and 2 full time Meditech analysts/programmers who would knock out a custom HL7 fix in a couple of days.

Nah, nobody wants the liability now, and maintainability is too much of an issue for custom solutions. Everyone wants a company that they can still trust to be there in 10 years’ time to do this stuff, and that’s honestly kind of fair.

You meet very few people that get their hands dirty with HL7 these days - not to be disrespectful, because I doubt our ages are that far apart, but most of the people still actively writing HL7 are older dudes from, well, the time you’re talking about - before everything got subsumed by bigger companies and consulting firms and so on.

Honestly, though, it’s weird that we have our own custom healthcare markup language. Why the fuck we don’t move to a standardized format like an XML is beyond me, and it would make it infinitely cheaper to maintain and much more extensible.

Version 3 messaging has been XML based since 2005.

See how much I’ve been keeping up on this topic :slight_smile:

I work with our IT people all the time, and very, very few people mess with it - there’s a few people that know enough to be dangerous, but for any proper conversion engine we always use an outside company. Too high a risk of breaking something for too little reward, y’know?

Ah, what could go wrong?

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.