In October of 2019, in an almost ironic and coincidental foreshadowing of events to come, the FDA warned healthcare providers about 11 cybersecurity vulnerabilities, dubbed URGENT/11. Although no attacks leveraging these vulnerabilities are yet publicly known, they expose certain medical devices and hospital networks to potential attacks. These vulnerabilities were found in a third-party software component that has been adopted by many different manufacturers and incorporated into various “software applications, equipment, and systems,” according to the FDA.
Considering the recent warning from INTERPOL urging hospitals around the world to be on high alert for imminent cyberattacks, URGENT/11 could have critical consequences during the current pandemic. While hospitals focus all their attention and energy on saving lives and keeping pace with the global pandemic, the number of ransomware attacks targeting organizations critical to virus response has increased. This rise in attacks raises the concern that these known vulnerabilities could be leveraged to target medical devices, adding to the burden on hospitals that already find themselves in dire conditions.
Register for the 2nd Annual Legacy Medical Device Cybersecurity Conference | A Virtual Event | September 22–23, 2020 Initially one might think that while an increase in ransomware attacks against hospitals is dangerous, it is separate from the worry that an attacker could gain remote control of a medical device. Since money is usually the motivation of attackers who leverage ransomware, why would they go one step further to take advantage of the URGENT/11 vulnerabilities? There are a few reasons. Devices could be leveraged as a means-of-entry into a hospital’s network if poorly configured or accidentally exposed to the internet. Attackers also might not plan to disrupt devices with an attack. Medical devices could be collateral damage in a broader system-wide attack, with a ransomware attack disabling these devices and rendering them unusable.
There is a long history of adversaries targeting medical institutions with ransomware and other destructive cyber-attacks. The Institute for Critical Infrastructure Technology cited ransomware as “the primary threat” to healthcare organizations in 2016, which has proved to be true in recent years. Without even factoring in the effects of COVID-19, ransomware attacks against healthcare providers increased 350% during the last quarter of 2019, with the rapid pace of attacks already continuing throughout 2020 according to a report from Corvus.
When it comes to ransomware attacks, cyber criminals know that healthcare is more likely than other industries to pay the ransom: Hospitals simply cannot afford the time it would take to recover. Even the smallest amount of downtime for medical equipment or hospital networks could endanger patients. Faced with patient lives at risk, rather than just revenue loss, it’s not surprising that nearly a quarter of ransomware attacks against hospitals result in some form of payment. By locking up imperative files, making a hospital unable to admit patients, or damaging or controlling medical devices—such as CT scanners and infusion pumps—a successful attack can have a devastating impact on a hospital’s ability to care for patients.
Since ransomware attacks can have immediate and real-world consequences, cyber attacks against the healthcare sector are unique. Whether attackers are callously ignoring the fact a successful attack leaves patients at risk or seeking to enact maximum damage, malicious actors are guilty of much more than a quick money-making scheme.
Fortunately, volunteer groups of cyber experts have emerged during the current pandemic to offer their support, including a group of 1,400 called the COVID-19 Cyber Threat Intelligence League. The group has taken down nearly 3,000 malicious virus-related domains as of April 14, including sites impersonating the World Health Organization, the United Nations, and the CDC.
The group has also found more than 2,000 vulnerabilities in “high risk” healthcare organizations. Combine the vulnerabilities available to attackers with the increase in attacks against organizations involved in virus response, and it may only be a matter of time before the world sees more successful attacks against hospitals and medical devices. We must be ready to detect and respond to them before damage can be done.
Concerns regarding attacks against medical devices are situated within a larger trend: In recent years, cyber criminals have increasingly targeted and manipulated devices that are considered part of the Internet of Things.
The Internet of Things, or IoT, are devices that connect to the internet and include everything from ‘smart’ devices, such as internet-connected coffee machines, to virtual assistants, advanced manufacturing machinery, and beyond. Knowing that these devices often have less built-in security and are difficult to secure with traditional security tools, they represent low-hanging fruit for attackers. In my work as a threat analyst, I’ve seen video conferencing systems in board rooms turned on to listen in on M&A discussions, biometric scanners breached to gain access to sensitive manufacturing facilities, and Raspberry Pi computers hidden in a hospital’s data center to exfiltrate data.
IoT devices continue to grow in popularity, with Gartner reporting the industry can expect to see 5.8 billion IoT devices in use by the end of 2020. Medical devices are included in this trend, with more and more devices becoming connected to the internet. Wearable devices and different monitoring devices are all part of IoT, including devices that monitor ICU procedures and vital signs, and others that wirelessly monitor ultrasounds. These ‘smart’ medical devices have become more common in hospitals and all require connection to the Internet.
At this point, we have not seen an instance where a medical device has been hacked and allowed a malicious actor to access a hospital’s network via the device. Instead, the reverse is actually the concern when we think about URGENT/11 and the consequences the vulnerabilities on the list could entail. Ransomware is programmed to spread laterally through networks, and if the malware is able to spread from the network to the medical devices it could easily result in disabled medical devices. Whether an attacker intended to target the medical devices or not, if devices are locked up or compromised during a ransomware attack, patient lives could be at risk.
The FDA reported that “URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network” and that medical devices affected include an imaging system, an infusion pump, and an anesthesia machine. At this time, the agency is not aware of any confirmed attacks or adverse events connected to these vulnerabilities, however, the agency still warned that the software to exploit these vulnerabilities is publicly available. Cyber attackers will use whatever tools and access points they have at their disposal to accomplish their aims and we will undoubtedly see adversaries leverage these vulnerabilities at some point.
While medical device manufacturers have released patches to address the vulnerabilities found last October, it’s probable that hospitals haven’t updated every single one of their devices. Hacking attempts leveraging the EternalBlue exploit—leveraged in the 2017 WannaCry attack—reached historic highs last May, even though Microsoft had released a patch in 2017. If hospitals haven’t already patched their devices by installing the necessary updates, this task will have almost certainly been pushed to the back burner by the pandemic. It is also likely that even more undiscovered vulnerabilities exist, meaning that even after software updates, the devices might still be at risk.
U.S. hospitals have no choice but to operate these medical devices at unprecedented levels, even with the knowledge there are security vulnerabilities, since the lives of patients outweigh any cyber security risks. However, it is difficult to fully divide these two concerns: Cyber-threats to the networks that hospitals and medical devices depend upon also concern the lives of sick patients.
Amidst a pandemic, overwhelmed IT and security teams will not have the time or resources to patch the vulnerabilities left unresolved from URGENT/11, in addition to the 2,000 more recently identified by the COVID-19 Cyber Threat Intelligence League. With medical devices left unpatched, and the looming possibility of unknown vulnerabilities, hospitals are left more at risk than ever.