Medical Device Security - From Detection To Compromise

hey before we get started good if you're in the back would you mind just coming up a little bit because I know when the sound gets kind of messed up so got a lot of empty seats up there sorry to make you move but it'd be really helpful awesome cool thanks guys all right so we'll get uh going here so my name is Scott irvan just a little bit about my background uh I work with pertivity I'm associate director I specialize specifically work in healthcare security and medical device security uh so I'm also a security researcher I've spent just over 15 years it information security uh and not only am I a researcher consultant as of

recently uh but I did spend 5 years uh working with Healthcare Providers and running information security teams and that's kind of where I got you know close or got a passion for looking at medical devices was really when I was working in the healthcare environment and seeing these devices become connected you know that really affect or can have an effect on you know patient safety or human life ultimately so I spent over three years last three years you know researching various vulnerabilities inside of medical devices given quite a few talks uh so we'll cover you know some of those phases of research uh here later in the talk there's my Twitter handle if you want to hit me up on Twitter uh let

Adam do a intro here and get us going all right thanks Scott so my name is Adam brand um also with productivity it's uh with Scott here um I've been in technology and security for a while how I got interested in this stuff was through uh a group called I Am the Cavalry which I don't know if many of you guys have heard of we're looking at issues of uh security as it relates to human safety and human life um so for the past year or so I've been focused more on this uh this topic so our agenda so what we're going to talk talk about awesome thanks uh so first we're going to talk

about why why research medical devices right there's a lot of stuff out there you guys could look at if you're thinking about doing a talk so why focus on this area um because we think you should um we're going to get a little bit into the research uh that Scott's done phase one and phase two looking specifically at um firstate medical device specific vulnerabilities and then the exposure of those same uh systems on the internet and what that looks like we'll uh talk a little bit about application security um and then we'll go into what do we think the diagnosis is what are some of the root causes of this and what's the treatment what do

how do we think that this can be solved so first off so you know why as a researcher should you look at these devices um I mean for one thing some of us actually depend on medical devices to live right so um if any of you are out there are diabetic at all you may have an insulin pump or a glucose monitor that's important right if you um if you don't have that working appropriately or if that's you know hacked in some way it can affect your life in fact one of the researchers who's been um looking into a lot of this stuff J Radcliffe got into it because of his own personal device so

for some of us it's super personal right um how many of you out there have been in a a hospital as a patient right yeah so most of you right so you know this when you're in the hospital it's when you're most vulnerable right I mean you're there you're um dependent on the doctors to see you through whatever procedure there's all this equipment hooked up um and at that time you're really at a stage where you know if something happens with the computers or the equipment that you're connected to you're kind of at their mercy so a lot of this is for us as individuals you should care because you're going to be in a situation someday where this might

matter very personally and then if you know if you haven't been in the hospital obviously have people that you care about they go in for procedures and things like that um I know for me personally about a year ago right after I started getting into this I'm the Cavalry stuff I was uh going to the uh the nicku um my sister-in-law was having twins and uh they were premature and so she was in the NICU and they had the heart rate monitors out and they were trying to find the fetal heart rate you know to see how the babies were doing and the nurse was having trouble with the with the device and she's like yeah

these things are so flaky and she was complaining and she like yeah I may have to reboot it I was thinking reboot it what um but yeah it it freaked me out cuz I looked and she kind of tabbed out of whatever application this was on on the screen and it was running Windows XP and I saw the cloud background I'm like oh man you know and it's like this that's really what you want to see when someone you care about's in a situation like that I'm thinking you know it's like what what's going on with the security of this organization where they have this you know outdated potentially vulnerable operating system potentially running conficker right I mean it's just

sitting there um so this is another reason why you should look at this there will be a personal impact for yourself or someone that you care about you know sometime in the future and then there's also the professional impact so what does this make sense professionally right right and you're going to get out your hacker hoodie sit down um there's plenty of bugs to find in this space so this is not looking for those tiny nuanced bugs it's going to get you this and it's get you that and you have to do a r chain and all this other stuff these are you know admin admin are is the password for this you know whatever right you can do

a talk on that um there's a lot of bugs to find uh they're not super complicated from a domain specific knowledge a lot of the time so you can take what you've learned and what you've researched in other areas and apply it to this area just put yourself like 10 years back in time what would have been the Hot Topic and that's what's a Hot Topic in in medical device security right there's a lot of work to be done in this space um it's a lot easier to explain the impact of your research too so there was a talk earlier about you know what's um you know how do we change the um perception of security researchers and and hacking

um and how can we communicate better with reporters and part of it is you know taking technical language and putting it down in an area where a reporter can understand well in a lot of cases for these these are very visceral and very easy to explain you know you're not trying to explain a chrome sandbox bypass aslr hop SE whatever right I mean you're strictly looking at you from from the things that you can look at you could say oh yeah I figured out a way to make uh you know drug dispense drug infusion pumps dispense the wrong drugs right I mean I can figure out how to OD patients in this hospital that's very

easy to explain to a reporter so what are we doing right now in the space as researchers and as Security Professionals so a few things one we're looking at um what the scope of the problem is so we're starting to do these assessments starting to look at devices in different areas look at different organizations um we're also getting into the notification um and this is a really interesting process that Scott can tell you a lot about but a lot of these manufacturers are not uh familiar with vulnerability disclosure processes so we're helping through that process um handholding in some cases facilitating in other cases and then at the end of it um also public awareness so we're trying

to inoculate against future issues by bringing this issue to everyone's attention now before the device manufacturer decides that they want to put bluetooth on your pacemaker right so now Scott's going to talk a little bit about the research that he did in phase one and two yeah so when I first set out to this I was really looking you know device specific vulnerabilities and I was looking you know across like all modalities inside of healthare so what I mean by that is you're looking at everything from infusion insulin pumps all the way to you know defibrillator pacemaker type technology x-ray Radiology all the way up to you know critical like radiation oncology devices like linear accelerators and those types

of things so I spent two years you know looking at the security of all these various types of systems and in a way I kind of felt like man did you know did I waste you know like two years of my life because I came up with three bullet points here that really is basic security hygiene items uh that the attack surface was there and it was very easy to get administrative credentials into these systems so the first first one uh that kind of wraps up is is hardcoded or default you know service credentials uh so what does that do well that gives you administrative access so basically anything that that physician or that nurse or that

clinician can do uh if they put it into that application incorrectly and it causes patient safety issues you can do that as an attacker once we get administrative credentials uh so treatment modification configuration changes on these devices those are the types of things that you see now understand that there's a very good shouldn't say a very good reason there's a logic to why what is there is there and historically we didn't think about those unintended consequences and so the reason there's hardcoded passwords is obviously from a support perspective so that these specialized support technicians have no troubles getting into you know critical devices when you're laying on the o table uh so there is a balance here that's a little bit

unique to healthcare right uh so know that a lot of these there's a reason why we did it we just didn't think through it in the unintended consequences and sometimes even if you think through it there's not a good answer the you know the risk uh doesn't necessarily you the treatment in the device outweighs the risk there's also no one you know software vulnerabilities so I think Adam was saying on XP something that's common I'm going to show you an example here uh coming forward but it is kind of rampant you know across the board on a lot of these Legacy systems uh that they're running vulnerable versions of XP uh they're not being updated uh inside the

virin is there anyone here Healthcare couple of people do yeah you you know then right yeah so there's devices that are running you know Legacy systems uh sometimes get pushed back uh potentially from the manufacturers it's getting better uh but those Legacy devices they exist yeah thirdly is is unencrypted data transmission and at first uh you know I I like to focus my research on patient safety and look at it through that lens instead of patient privacy uh you know patient privacy or privacy in general is really important uh but ultimately you got to be alive to enjoy it so the unencrypted data thing a lot of people think oh that's a privacy issue uh absolutely it's a privacy issue

uh but some of these devices how they operate uh medical device integration is a great one so with you know meaningful use and those types of systems we now need to dump and doing like population Health Management and data analytics and Big Data inside of healthcare we need to dump all the data from what we're critical devices that traditionally weren't on the network so you get into like anesthesia carts and ventilators they were not Network enabled before but you relate that to okay there's a lot of people that die on ventilators is it really they're dying from pneumonia or is there something there well we need the data let's plug it in so now these

types of things are becoming you know more connect more connected the problem there is leaving that data unencrypted you can man in the middle some of those systems so you could alter the data from those types of systems pump it down into the medical record now that becomes data Integrity once you get to data Integrity issues what you see there's plenty of research out there already on on on someone that goes and presents for treatment uh so if Adam went and presented you know under my name for treatment there's plenty of research down there uh for medical identity theft and those types of things that result in mistreatment misdiagnosis being prescribed the wrong medication so

that's kind of some of the risks that could potentially alter you know patient safety not just patient privacy aspect so finish that first phas of research and got a lot of good feedback on it a lot of we do understand that these issues are there as you know but we firmly believe that these devices are segmented in our internal Network and they're absolutely not accessible over the internet and I had numerous emails just standing you know tall and wouldn't budge that that's not the case well I knew otherwise uh so I worked with another researcher Sean meringer uh we gave a talk on some of this that we're going to cover here uh at Defcon last

summer and we went out to look at internet facing devices so what's the issues here right we have systems that are both directly connected to the internet and then we have kind of indirect exposure which I'm going to show you here coming up uh through some Showdown searches and queries that we've ran we also as this connectivity is growing we're seeing you know cellular connectivity so some external defibrillators that are for example inside of ambulances um they're sending like 12 lead information and those types of things to the receiving Ed it's very good reason why they do it but they put it on public cellular uh there's some other issues about this you know connectivity thing

of you know manufacturers need to do a better job uh you know in some examples it's like they have they have Bluetooth they have 802.11 Wi-Fi and they have cellular connectivity like can't we pick one of them and reduce the attack surface it's just it's crazy right um it's just bolt on everything uh so we got to get better you get better at doing that uh and and and finally it's it really they're being put in a very hostile environment right a known hostile environment when you put them out there on the network U they aren't segment it off necessarily inside the network because we need to start pumping data into the medical records Healthcare

organizations are becoming flatter and flatter um so it's not like this really isolated there are some sections uh that are you know well isolated but for the general part and I'm going to show you some examples uh I think it's kind of a misconception that we have so we were on showan and our initial kind of goal to to look at stuff was looking at direct onet internet facing devices uh now we did find those we talked about those Defcon you know those were everything from uh you know fetal monitors to linear accelerators to uh glucose monitors to external defibrillators um but also when I began this search um I did a search for anesthesia and kind of popped up in

showan and other than it other than it being a Windows XP system there was there's really no indication that it was a medical device right so I knew that it wasn't a medical device and I realized when I looked at that that actually it was coming through through SMB so his information was being leaked through SMB and also had Anonymous read to their internal active directory so this first system we came across Rost was a large US Healthcare organization uh over 12,000 employees over 3,000 Physicians large cardiovascular Neuroscience institutions which you'll see in the results that I show you exposed intelligence through that misconfiguration on over 68,000 of systems and it also provided direct attack Vector which I'll talk about how

that works and how that chains to all of those 68,000 systems that wasn't just medical devices I looked at it for medical devices this is every system inside their internal network uh that you could pivot directly from the exposed system and also when you look through the raw data uh what you would find is we found indicators of common third parties so organizations like lab services or Radiology reading organizations that do thirdparty services to the provider those were also in the data sets so did we find one organization was it just this one that I happened to stumbl across no we didn't uh we found hundreds uh so some of this is kind of scrubbed out uh some of it's

not uh but you can see here uh where we're going with the the search examples uh just looking for SMB and then we're looking for org identifiers so you can see here like we would do Health Clinic Hospital medical the number of hits that we got for this misconfiguration that exposed system information uh once you change that term uh so if you go to like specialty clinics so if you you know change those Search terms to like Podiatry uh Pediatric you know Urology those types of things you end up with thousands of them that were sitting out there so you know why do we care about SMB well as I said the system also happened to be Windows XP that was

vulnerable to MSO 8067 which as we know is SMB exploit uh so now we have an external facing system that's leaking this and we know it's talking back uh through a known exploit that's been out there for what eight years seven years so why does the information we're going to show you really matter uh it's a go gold mine for adversaries it's a gold mine for attackers it's got specific medical device information uh and applications it leaks the host names of what those devices and the supporting systems they're Associated to and you'll see in some of these examples it oftentimes leaks this actual floor the office the specific room number uh position name in many cases and also

tells us because it has the anonymous uh read from active directory if there's a system timeout exemption so we know that the the system isn't going to timeout so let's get into some of the data and some of the searches so this first one on the left this is something with the system lockout or a timeout exception you can see the screen lock is set to zero uh the screen log zero then we know it's probably not going to require login over on the right this is the medical record system uh so I do want to point out this example happens to be epic this is not an epic issue this is the healthcare organization

misconfigured their Edge network uh and exposing these systems this is not a epic issue that epic can fix uh but if you know about epic there's some interesting things in here one this is all the servers that run epic but if you get down to like three from the bottom and you see my chart my chart is where you as a patient go uh through the application to access your patient record uh if you get up towards the top towards uh Clarity and business object this is where all the third-party reporting is done from uh from the database outside of Epic so there's going to be a lot of Phi that type of information in there as well as uh you

know hyperspace and those systems are actually core function of Epic and the actual systems that run uh that medical record uh the top one is actually a uh an analytics uh server for for epic as well all right let's get into some devices so here you can see over on the left that left I've scrubbed all of these out uh I actually did uh work with uh DHS ier and the affected Healthcare organization it was the first time uh DHS IC C actually had a security researcher that coordinated with a healthc care provider so obviously we've coordinated uh with DHS and device manufacturers but this was the first time that we worked that coordination between a researcher and an actual

healthc care provider themselves and it went very good uh they shared you know full instant response details acted appropriately uh I won't go into detail on that but but they did respond so over on the left is is the host names of those systems on the network and you can start to see uh more of the information up top this is really uh PX Imaging so packs Imaging what that is is in Radiology all the Radiology systems so the CD scanners the nuke Imaging systems the X-ray systems that you work they go to an archive uh system that holds all of the images so you can see like the top one is probably like a a px room

like a reading room where they would view those uh the other ones are you can see like MRI or CT uh type systems here in the bottom Telemetry so these ones uh you can't tell exactly what type of devices these are hooked to uh but devices that run on Telemetry are typically associated with like infant abduction systems so when you get the band and you have the baby and it goes through it you know locks down the doors and all those types of things or wandering adult patient care so I said they had a very large Cardiology institution so these topped ones you can see some of the examples of doctor and yes it had full doctor name

it would show their office number you see Adrien whoever um in the C and you can see cath lab machines U that bottom one that pacemaker was actually labeled pacemaker controller uh so that was a little bit concerning uh if you do research into how pacemaker controllers operate if you actually get your hands on a pacemaker controller and there's a system like a pacemaker or a defibrillator within nearfield communication to associate with that uh the controllers you know they don't require authentication and that may be startling right but again there's a good you know we don't want two-factor authentication like oh I forgot or my finger got chopped off and now I can't you know deliver a rescue shock to you

so those are some of the types of the challenges that we get into when we get into those types of systems of yes we understand the risk but make sure you're doing enough digging like if you're going to do the research to look at the solution and like the feasibility of it so even like implantable defibrillators I've seen some research that comes out like let's just throw encryption on the defib great solution guy did you ever think the thing runs on a battery and we're going to have to open up your chest cavity every three months instead of every three years you're probably going to die from infection so you know make sure you think about those types of

things too if you're looking at this of you know what are those feasible solution there's a reason why a lot of the stuff is done the way it is and that's what makes this more challenging I think you know coming up in Solutions but it's also more rewarding when you fix them because it does you know impact patient safety so second's kind of pediatric nuke medicine um and down at the bottom this is anesthesia the very bottom one anesthesia workroom okay you can make a case that yeah that's just probably you know like a nurse's uh system but that top one anesthesia o if you know anything about how the o environment works there's not just extra

computers just laying around the outskirts of the O right it doesn't happen uh so this is most definitely an anesthesia workstation that's ATT tied uh you know to the anesthesia cart inside and assigned to the O so we found a few devices well no that was just the example of one organization of thousands uh we dumped all of the raw data on those 68,000 systems used our favorite uh data analytics tool called Excel uh did a fancy query called control F search and find um and identified some of these uh you know systems that would that would flag and so here's what we found inside that one organization so as you can see uh very

large you know Cardiology calf lab type stuff uh the pacemaker type systems uh pack system is very interesting I want to talk that one really quick is I think a lot of like medical identity theft if it's not going after the medical record itself is coming after pack systems so pack systems uh if you log into them from like the the the radex workstation through the application you actually have to log in with a a unique username and password but on the back end if you actually hit a lot of those storage almost every vendor that I've researched you can go back in because there's no NTFS permissions on it the ones that do have and require authentication they're

using an interface call between the application and the backend storage and it's hardcoded credentials that are sitting in technician manuals so I'm going turn it over to Adam quick to talk about some of the attack vectors with that type of information cool yeah so potential attacks so sometimes you have to break it down for these organization in terms of what could happen right so it's like okay yeah you have information on all our computers great wonderful what's that going to get you so here's an example of a physical attack that could be carried out with some of this information so typically if you're going to do you know a physical pen test obviously you can do some

reconnaissance this is like a treasure map right to exactly where you need to go so here we know for example again from internet accessible information we have you know what types of systems are in their organization so what could be of interest to us we know the organization name and the address we have the floor room numbers office numbers the people's names that are going to be on the door and we also from the same information can tell which of the workstations have this exception to a screen lock so it's basically telling us go to this room this office this computer isn't going to ask you for a password right I mean that's the impact

of this for a physical attack go in go out you're done right super easy so from a fishing perspective right A lot of times it's still kind of risky to show up there in person so from a fishing attack with the same information as I said you have some very detailed information that you wouldn't necessarily find on LinkedIn right to do very specially crafted fishing messages you know the name of the machine you know the location um you know what specific device it is potentially so you can send a very crafted message oh you know such and such host needs to be rebooted click this link to do it right someone's gonna oh okay they must know what it is Who

would know what that you know Bobby server is right so they'll click and then you could develop a very targeted attack specific to the medical device again there's hardcoded credentials in Vendor manuals so you know exactly what URL you need to hit what per what um parameters you need to pass it to conduct this very targeted attack so then there's obviously the pivot so as Scott mentioned there's this system sitting out there this Windows XP machine you know vulnerable to ms0 8067 great but as you can tell from the information return via SMB this is connected to the broader corporate Network so you can go in and you can pivot from that machine to another one

of those machines and hop around in the network again using the very specific information you were able to pull down host names that type of information what particular medical device it is so you already know what types of vulnerabilities it will have in advance so this is a situation where okay maybe the Pax Imaging system isn't sitting directly on the internet but it's one or two hops away from a system that is that's connected to the same active directory infrastructure it may as well be sitting on the internet right so now Scott's going to talk a little bit about applications security an area that's done really really well from what I hear well everything's done

well so I wanted to touch on this uh a little bit I'm not an abset guy um at all uh but I find some nuances that are a little uh annoying or disturbing to me and so I'm going to show the like this picture and and let you decide uh I know this is is is a terrible picture um but if anyone can read that um do do you see that post request like are there any things that like may stick out that have issues anyone HTTP yeah that's that's the first one see I get all kinds of stuff I don't even know what you're talking about but that sounds interesting see I don't even

find that one but yeah so what I see here um and you guys abs people may see other things um so I'm not going to tell you what type of device this is but what I'll tell you is this is a a common thing that I across multiple devices uh and what this one was is when I went in and I logged into the web interface of this Wireless medical device it has hardcoded admin credentials to get in so once I got in I thought hm this thing's Wireless let me go and look at the config and see if I can figure out how to uh break the wireless hopefully it uses weap a lot of

these old medical devices uses weap so I switched over to the network config to the wireless config and I was like oh man it's WPA2 this sucks not going to be able to break it as easy so I thought I wonder if this thing you know checks any type of validation and if I even have to change anything without hitting save on the config or will it just pass everything for me so I decided to do that and put a burp in between and I hit save sure enough full information you can see here on the bottom is scrubbed out so it gave me the SSID the hardcoded SSID or the existing SI SSID as well as the WPA2

Keys as able to Pivot and you can compromise the the internal Network just because of that absc there the other thing is it if you notice this thing it doesn't use any type of uh session management or token so yes I needed to do a lot of stuff and figure out a hardcoded password in a in a in a documentation in order to get into it but now let me think beyond that that what can I do with these types of devices so I did a test basically took this post request uh stood up a you know wireless access point bridged it to the internal Network sent a post request with the new uh you know Rogue like

Wi-Fi pineapple you know Rogue AP posted it switched over and now man in the middle of everything um so I can see you know in those types of scenarios you can see key information you can grab all the information that's flowing through there whether that's a medical device integration product that has issue whether that's an infusion pump that potentially you know you get Phi information or you can see like drug libraries getting pushed out over the network those types of things uh that's what happened here in addition to their internal Network that they put WPA2 on is now completely compromised so you you know you decide if it's an issue or not just add them quick yeah no that all

sounds like good appc to me so I'm also not an absec I think it's good I'm an ABC Pro all right um okay so let's get into some more of the issues so we talked you know a lot about some of the technical details of this stuff so what are some of the core you know what's a diagnosis if we're looking at these as symptoms of a disease what's the underlying fundamental condition that we want to hope to address so the most obvious one that we talked about here is that we have these exposed vulnerable systems that are out there um and in a lot of ways this shouldn't be a surprise right we have these systems

that are uh running software and maybe previously they were using solid state Electronics to do what they do now they're running you know wind embedded windows or Linux or something like that so they're software so they're going to have bugs right so they're going to be vulnerable to those bugs um and we're also putting them in positions where they're not really sufficiently defended on the network side we're connecting them to uh wireless networks we're hooking them up to Cellular Connections uh um so when you think about that connection we're opening the attack surface right so we're taking again a device that previously had no external attack surface and we're just putting it out there and hoping that nothing goes

wrong so what may be pitched from the vendor as oh we're going to give you this you know excellent softwar driven you know connected medical device is really essentially a vulnerable um exposed medical device right so that's getting to the some of the root of the issue here um and secondly there's just this lack of patient safety focus when you do look at some of the security that is on these devices a lot of it comes from the Privacy perspective which is great you know I like my privacy I'd like to be alive to enjoy it right um so that's fine we need more focus on the safety issues from these devices there's also the awareness Ness

in getting a sense for what's the extent of the problem how far is it spread and why so the first thing to recognize is you know this is just the tip of the iceberg that we've found so far in this research this growth of connected medical devices is growing and growing every year right it's just accelerating and the reason for that is Healthcare overall is accelerating and it's the nature of healthcare that you want to have um you want to serve the patients in as many ways as you can you want to get information to the doctors as quickly as you can so it's just the nature of this uh of healthcare that's going to accelerate this growth to begin

with so you're going to see a lot more of doctors walking around with iPads which they are already and okay those were introduced oh it's just a monitoring function okay well now it's monitoring and I can prescribe a drug for it okay now it's monitoring and I can approve this now it's monitoring and I can just turn the dial on this pacemaker right so there's a trend that's going that we have to be aware of um the second is so we have Hippa how many of you are familiar with HIPPA there okay so most of you right so Hippa has got a a great focus on privacy of information but zero focus on patient safety so the focus of a lot of these

Healthcare organizations has been for a number of years um how to comply with HIPPA and it's all about Hippa compliance and what are we going to do to comply with HIPPA and if it's not about complying with HIPPA then it's on the back burner um and that doesn't help this problem at all because it it get gets in the way of a real risk analysis which would say look you know we we have this problem and we leak some patient information that's terrible uh you know but we have this uh machine this uh infusion pump or this anesthesia machine that's accessible one hop away from the internet that's a really big problem um so there's that going on also the FDA

you know we' normally think okay here's an FDA approved device right it's in the hospital it must be safe and it's safe in a lot of cases but the FDA has even come out and said they're not doing testing for these cyber security issues it's just not in scope right so if you can imagine that it's like you know um you have a security organization you know tells you that a computer is safe but they didn't actually look at the software on the computer for security issues right I mean it's yeah the computer functions but how safe of it is it what vulnerability are is it exposed to um and then the last thing to think about is some of

this problem area is a lot of people will dismiss this as yeah but what hacker is actually going to go after uh you know a patient infusion pump or pacemaker right that's you know attackers are motivated by uh you know by crime by greed by money maybe some political motivations but what's going to possess somebody to go in to a hospital and say OD all the patients right the motivation isn't there um and so I mean we think

sorry so the question is if an attacker were motivated how would you detect how would you detect it and the answer is you can't in a lot of cases right now so that's one of the one of the big issues right now is that we kind of have low Assurance um that an incident has happened we don't we don't know how do you prove an incident's happened you have forensically sound logs and evidence we don't have evidence capture we don't have forensically sound logs being built in the medical devices what we do know is every year the FDA in quotes several hundred, uh reports of medical device Associated uh patient safety issues Adverse Events and and and loss of life

and those are only adjudicated clinically so if you die in a ventilator they'll say your pneumonia or whatever then it'll go into a generic device malfunction what it never goes to is it a security incident and we don't have logs or sound data to prove that so we don't know so to me we have low Assurance we don't know and unintentional they get malware all the time and unintended okay it was going after you know financial information but did it Hiccup and boom it you know changed some setting those are the types of things that that you know Adam's trying to you know mean hereby malicious intense you know not prerequisite yeah exactly and I think that that's part of

the where the missed the boat on this you put these things on the internet and if you've ever experienced uh you know putting something on the Internet and watching how it gets hit I mean that thing will get hit within minutes right I mean there's people scanning the internet all the time for all kinds of things and they may not be trying to you know hit your anesthesia machine on a debug port on Port 8888 or whatever but they happen to and that happens to cause an issue so we've talked about you know what are the problem the extent of the problem um so we'd be remiss in not actually trying to think about what is

some of the solutions so what's the treatment plan for this if we were going to prescribe something so there's few points on this so the first one which is what we try to convey um coming here and also at other conferences is like it kind of falls on us um there's not a lot of other people out there doing this and as a security Community we need to be looking at this issue we can't expect somebody else to fix this problem for us this is a problem that affects you right so you should be hopefully in invested in the solution so you actually need to get out there and start researching start talking about this problem in the

organizations that you're in um also from an education perspective the stakeholders need to understand some of the prerequisites for connecting these systems to the internet or adding additional software functionality so it's not that you're telling them no you can't do this you cannot add Bluetooth to this but maybe saying you can do this however before you do this we need to do a top to bottom inspection of that Bluetooth software stack we need to understand what are some of the security controls that are going to be in place against these potential attacks right so they need to understand that before they get into the decision-making process about adding that feature not you know three years later when they're finished

with development and they're asking for a security review um the next one is getting multistakeholder teams in collaboration going so it's I said earlier it kind of Falls to us but it's not on us alone and we can't do this alone we can do some of the research but we need people from the FDA to assist you know with potential regulation in this space we need the device manufacturers to get involved in this we need uh folks that can help see all the sides of the issues and put pressure in each of the pressure points that can allow this change to happen and then finally where we can we have to emphasize that we're not

necessarily asking people to do something completely new right what we want to do is try to get security integrated in processes they may already have for quality control for vendor procurement so things that are already in place how can we inject security into those processes so a few pictures we want to paint so we have the current state and if we just let things continue as they are as Scott said there's several hundred thousand of these unknown incidents with medical devices each year that are piling up um um there's no evidence capture capabilities so as all these new devices with software being connected to the internet are introduced there's no evidence capture so we won't

even know if they they were you know hacked um we have new devices coming to Market with long-known defects I mean there are literally manufacturers out there today releasing their new you know bluetooth enabled device 3.0 that has the same vulnerability as Bluetooth enable device 1.0 had from years ago um and then we have new devices coming to Market new ideas right you go uh I was at the hardware store the other day and I was just looking in amazement at the number of wireless locks and wireless everything that you could get there and this is only going to continue and consumers are going to only be and doctors are going to expect that type of

thing you know oh why can't I you know give this patient a shock from you know my iPad right um so that's going to be there's going be more of these coming out um and unless we do anything about this we're going to be stuck in this situation years from now where we have tons of deployed devices that have some fundamental security issues and not only are we dealing in a space where those adversaries that may not have the motive today their motivations are changing periodically they may find that this is an acceptable thing maybe they want to hold a hospital Ransom or they're going to disconnect all its you know drug infusion pumps right that could be a

viable criminal option for some organization in the future um also this increase in incidental contact and what happens when you double or triple the number of Network connected medical devices in a hospital and combine that with people constantly scanning the network and all other kinds of tools that may be present for monitoring on that Network there's just going to be incidental contact and incidental attacks so what's a better way so what's a better future so that previous future sounds pretty sucky I don't I don't want to be in a hospital in that future um so what's this model so we take back patient safety as the overriding objective and a lot this should resonate with a lot of healthcare providers as

key to them but okay before we think about how convenient it is to add this device for a doctor or add this feature to a you know patient medical device think about what the patient safety impact is um and avoid through education repeating the mistakes that all the other Industries made 10 years ago I mean things like you know default credentials unencrypted Communications all those things what have we learned and how can we apply that here um engaging stakeholders as we mentioned um getting the the the safety into existing practices so we feel like if we do that we'll be in a much better position where we have these medical devices out there that are more resilient to these types

of attacks a future where there's a lot of collaboration and ongoing conversation in this area because this you know as you know security changes on a daily and weekly basis um and finally medical devices the connected medical devices that are resilient not just to attacks but also to you know accidental you know electron mishaps and uh Scott has a a story an idea how to do this too we we just wanted to end on a positive note of how not do your medical device hack and so uh I lived in Minnesota previously and this is an actual picture I took this is in some stock photo or something I had to actually like drive around the block

like three times like the underarm like through my car window um and so you can see yeah this guy's got the infusion pump but he's definitely not on the hospital Wi-Fi and that dive bar probably doesn't have Wi-Fi uh but if you look really close like in his right hand he actually has a cigarette and behind his leg he actually had a beer bottle so you know maybe the smoking and or drinking will kill him before but uh I won't get into that that uh that infusion pump I can tell you that so how do you get involved right how do you if you want to do this type of research like before we wrap up into

questions like you know acquiring medical devices those types of things there are some you know regulations on what you can buy without a prescription those types of things but they are available on the third you know on the third party on eBay uh there's another website called medw that has a lot of like third party you know reselling of devices uh get involved in the industry working groups you know get involved in the solutions so whether that's from the you know working with providers or working with the medical device manufacturers or getting involved with you know various things like the FDA uh you know security working groups for medical devices they recently released uh you know guidance and those types of

things get involved with those uh you know go speak go speak at a conference about you know any of the research that you're doing um you know focus on Solutions uh make sure you're as technically accurate as possible um and focus it all the way to Solutions so that you actually look at the technology understand it and don't make uh you know stupid recommendations like encrypt stuff that we really can't really encrypt right now uh due to technology limitations and finally if you know you're interested the cavalary there's a website uh highly recommend you you know go check that website out if you're not familiar with that group and I do want to say too um I'm going to go to

questions here um but on a positive spin uh there are you know a lot of the larger organizations um have been developing uh larger information security teams over the last couple years so you know groups like uh ge metronic Phillips uh they really are uh working um and they are opening their doors and collaborating with researchers so I can tell you you know I worked with Phillips uh if you watched my Defcon talk they came out in July and said hey this is what we're going to do for you know vulnerability disclosure policy and process and as of November they actually released that you know publicly on their website so they have vulnerability disclosure and they were the first ones

um to come out um so that's opening the doors metronic has recently they're still working on you know formalized approach but metronic for example if you go to their contact us page right away it says hey if you're a healthcare provider and you have an issue or and I say if you're a security researcher boom here's a dedicated method to get a hold of us and we'll get back to you uh so they are working on the issues right there's a lot of these you know Legacy type systems um but they're working to make it better but the big guys are the big guys there's still a lot of small mediumsized companies that run medical

devices so uh you know hopefully we'll continue down this path of you know collaboration between the stakeholders and and things will start to get better because as mobile and digital Health grows this problem is going to amplify and be even worse uh if we don't kind of you know learn from previous failed practices so any

questions no

practices avoid failed practices yes I will when he's done

yep

y so the short uh question was Hippa hasn't been effective uh would regulation be effective when it comes to you know security and medical devices and and would that work I think the short answer the approach that we've been taking uh what we've been recommending is not to go that route try to get industry to adopt you know secure practices but what does that look like we've got to shift the stakeholders and that's why we've been working with the health care providers right so the health care providers they can incorporate certain requirements and validation testing of the devices prior to signing a contract with the manufacturer and so like on the Cavalry side I'm working involved in like a

procurement guide of what they can do what they can do contractually to tell the vendor hey we're only going to select you this is now our requirement just like it was a requirement that it ran on VMware and then it ran with our you know our thing clients it's now a requirement and we actually validate it and if you don't meet that you're not coming in the door um and there's other organizations out there that have spoken publicly you know over the last you know years so uh Mayo Clinic they're a big one they've been working on it uh you know it's a large organization that has a lot of you know impact when they do

that um Les Stenberg is a sizzo down at MD Anderson Cancer Center they also have done it and Incorporated that into their procurement process U so as those things change it kind of changes that influence you know the FDA has kind of taken that hands-off approach uh because regulation isn't necessarily answer but we got to look at all those stakeholders and what kind of influences them and what are their drivers and that's what we're trying to do anything else no we're all medical experts device experts good all right well enjoy bsides and thanks guys for coming out have a good [Applause] one