Sunday, January 31, 2016

Tabula Rosa Systems Blog Of 1/31/2016 - How Can Hospitals Protect Their Medical Equipment From Malware?

How can hospitals protect their medical equipment from malware?
 ==========================================================
Some scenarios sound like something out of a Tom Clancy novel, but are completely plausible
  
Adam Winn, June 26, 2015 healthcarenews.com

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where:

The devices have known vulnerabilities that can be easily exploited by bad actors

Administrators are not likely to notice malware running on the device as long as nominal operation is maintained

The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records.

What exactly is a bad actor likely to do after getting a foot-hold on the network? Move laterally to find patient records that can be used for:
·         Identify theft
·         Blackmail
·         Steal research data for financial gain
·         Deploy ransomware like Cryptolocker, effectively crippling the facility unless a bribe is paid
·         Trigger widespread system malfunctions as an act of terrorism
·         Carry out a 'hit' on a specific patient
The first three items are strictly motivated by financial gain, and this has been the extent of observed attacks to date. The fourth item seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defense facilities. The fifth item hasn't been detected yet, but that doesn't exclude the possibility that it has happened. Carrying out a silent assassination with malware would be very hard to trace back to the attacker, and could even be sold as a service (similar to DDoS as a service).

The scenario for number 5 sounds like something out of a Tom Clancy novel, but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure, and know where the procedure was to take place. One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult but not impossible to know.#

Real-world vulnerability examples
Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA up to 400 days ago about the vulnerability and saw no response, so he went public to put pressure on the manufacturer to fix the issue. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.

This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?

It's clear that installing antivirus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT are relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully this challenge has already been solved in ICS and SCADA environments.

In a recently profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system. The report details that the malware was detected but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.

Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defense mechanism. Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network.

How sanitization of the operating room compares to preventing cyber infections
Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Defending against cyber infections, by comparison, is much easier. The medical industry isn't alone in fighting this threat – they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Simply employing an air gap doesn't guarantee security. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access. In medicine these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It's not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected. The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed 'clean' can still be disinfected to completely eradicate the possibility of a threat doing undetected.

============================================== 
For a great satire on email, please see the following:
https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
=============================================== 
Good Netiquette And A Green Internet To All! 

Special Bulletin - My just released book

"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...) 

is now on sales at Amazon.com 

Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.

 =================================

**Important note** - contact our company for very powerful solutions for IP
 management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================

Another Special Announcement - Tune in to my radio interview,  on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.   

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================

How can hospitals protect their medical equipment from malware?
 ==========================================================
Some scenarios sound like something out of a Tom Clancy novel, but are completely plausible
  
Adam Winn, June 26, 2015 healthcarenews.com

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where:

The devices have known vulnerabilities that can be easily exploited by bad actors

Administrators are not likely to notice malware running on the device as long as nominal operation is maintained

The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records.

What exactly is a bad actor likely to do after getting a foot-hold on the network? Move laterally to find patient records that can be used for:
·         Identify theft
·         Blackmail
·         Steal research data for financial gain
·         Deploy ransomware like Cryptolocker, effectively crippling the facility unless a bribe is paid
·         Trigger widespread system malfunctions as an act of terrorism
·         Carry out a 'hit' on a specific patient
The first three items are strictly motivated by financial gain, and this has been the extent of observed attacks to date. The fourth item seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defense facilities. The fifth item hasn't been detected yet, but that doesn't exclude the possibility that it has happened. Carrying out a silent assassination with malware would be very hard to trace back to the attacker, and could even be sold as a service (similar to DDoS as a service).

The scenario for number 5 sounds like something out of a Tom Clancy novel, but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure, and know where the procedure was to take place. One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult but not impossible to know.#

Real-world vulnerability examples
Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA up to 400 days ago about the vulnerability and saw no response, so he went public to put pressure on the manufacturer to fix the issue. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.

This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?

It's clear that installing antivirus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT are relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully this challenge has already been solved in ICS and SCADA environments.

In a recently profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system. The report details that the malware was detected but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.

Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defense mechanism. Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network.

How sanitization of the operating room compares to preventing cyber infections
Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Defending against cyber infections, by comparison, is much easier. The medical industry isn't alone in fighting this threat – they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Simply employing an air gap doesn't guarantee security. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access. In medicine these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It's not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected. The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed 'clean' can still be disinfected to completely eradicate the possibility of a threat doing undetected.

No comments:

Post a Comment