The Growing Importance of Interoperability and Third-Party Component Security | Ep. 14

Hi, welcome back to the Med Device Cyber Podcast. I'm your host Christian Espinosa. I'm here with our co-host Trevor Slatterie, and today we're talking about an important topic: interoperability and some of the cybersecurity risks associated with it. Any medical device is going to be deployed on a healthcare delivery organization environment, and it often has to interoperate—it's a challenging word—be interoperable with other systems on that environment. Anytime you connect one device to another, across a network, wirelessly, or via Bluetooth, that introduces more cybersecurity risk. So, we're going to go over that today and some of the considerations a manufacturer, as well as a healthcare delivery organization or an HDO, should consider. Now, interoperability depends on the device. A blanket problem that can be present in a lot of devices, and that newer penetration testers won't be as experienced with, and a lot of cybersecurity professionals may not even be very familiar with, is the concept of a second-order attack. What we're really saying when we say a second-order attack is that you exploit a vulnerability in one system that compromises another system. So, you don't directly see the impact, but you're feeding in bad input or bad data into somewhere else, and then that triggers a problem. For example, if I can exploit a PACS system that has DICOM files on it and modify those DICOM files, but those are ingested by a medical device, then we could infect that device with these infected DICOM files. Or, if I was able to somehow compromise this mouse and I made it send different Bluetooth signals instead of just operating the mouse like normal, it controlled input to do certain bad things on my computer. While I technically hacked into the mouse, I compromised my computer. That would be another example of a second-order attack. I think that can be a pretty big and prolific problem with medical devices. The main reason being that even if the device itself is secure, so there isn't a problem that you can necessarily exploit in the device itself, a lot of components in a hospital might not be secure. A lot of components may not even be at the front of someone's mind for security, like a printer for example. I know every penetration tester has their war stories about hacking into printers in hospital networks. Every time I've been on a hospital penetration test, my first way in has been through a printer. So, if you have a medical device with a problem, you can potentially exploit that problem in a second component like a printer, an EMR system, or a workstation. I think that's a big concern with interoperability. What I'm describing is a two-way street. You said a second-order attack from the perspective of somebody attacking the printer and then leveraging that to attack the medical device, or somebody attacking the EMR and that attacking the medical device. But it's also the other way around, right? Somebody can attack the medical device, and then that can attack the EMR or the PACS system or any other system on the hospital environment. It goes both directions. I'm sure a third-order attack is possible; it gets down to the complexity of a system. Once you get to a third stop, you can get pretty far removed from the first device that you're attacking. For instance, going from my mouse to my router, which is really far detached, might have some transitive component that you can jump through. I'm sure it is possible and very difficult to pull off, but it would be a pretty edge-case scenario. When I did DoD stuff, the enemy would go from like one country to another country to another country. So, maybe go from Russia to a system in Korea that you've compromised, to a system in Malta, to a system in Finland, and then to the US. It's hard to trace that attack back to the source because it's being bounced through all these systems you've compromised. So, it definitely covers the tracks in that scenario, which would be more of a third or fifth order attack, tunneling through all these compromised systems. I think we are increasing the number of devices that are interoperable from a medical device perspective. So much in a hospital environment or just in a healthcare organization is connected now. Everything hooks up to the internet in some way, or there's some connection between two components, or there's a hub for data transfer in one way or another. Everything plugs into an EMR system. I think that's a great thing. Of course, it introduces challenges from a security perspective, but from an operational perspective, it lets everyone have very easy access to information. It lets data transfers happen near instantly now, where before it took a long time, having to deal with faxes and passing around physical paper documents. So, data transfer is extremely fast; it can go very wide, very far, and spread out, covering a lot of ground really quickly. I think that's really helpful, especially in healthcare, where stuff can be time-sensitive. Now, of course, this introduces a lot of security risks, especially in large connected networks. Anytime you're introducing a new component to that network, it's connected to dozens, if not hundreds or thousands, of other components. So, if there's a problem in one of them, that can often lead to a problem in a lot of them, which is why we really need to be careful with securing devices, looking at that interoperability component. I feel like in healthcare, we're kind of at the infancy stage of interoperability because if I go to the doctor, I still have to fill out photocopied pieces of paper you can barely read what they're asking for, and then somebody takes it and types it in a computer, and then it goes somewhere. It's still a very antiquated system, I think. At MedTech World in Dubai, there was a big push for digital transformation because a lot of people are saying we have all this data about a patient, but it's not consolidated anywhere. Some of it's over here, some of it's over here, some of it's over here. Without it being consolidated, you can't use tools like AI to really do some analysis or try to predict someone's condition later on because all the data is isolated. So, I believe there's going to be an even bigger push for interoperability so we can have this data more readily available, which is going to introduce more risk to medical devices, to a hospital environment, to a clinic. I think it's going to be very challenging to make this secure. I definitely agree. One thing that comes to mind when you're talking about a single source of truth for this information is that there's also a single point of failure. So, if you have that single source of truth and someone's able to compromise it, then they're able to access so much information for so many people. So, it's a little bit of a double-edged sword. From a healthcare and functionality perspective, it would be fantastic. We'd be able to do things so much faster; you wouldn't have to track down information from different hospitals and different doctors. But from a security perspective, it becomes a nightmare. We always talk about how inherently insecure healthcare networks are, hospital networks—all things like that. We call them hostile networks. One of my scariest and favorite statistics is that at any given moment there are around 2,000 EMR systems exposed to the open internet with no password on them. So, you can just go and look at people's medical records. How did you find that? On Shodan. Yeah. 2,000 with no password, so it's no wonder everyone's medical records have been stolen. It's easy; you can quite literally Google it and see them. It's a pretty scary thing. While interoperability is in its infancy, so is security awareness. Unfortunately, interoperability is accelerating a little faster than security awareness, so it's being done in a dangerous way a lot of times. You know that's an interesting point because EMRs, electronic medical record systems, have security controls, but what it boils down to is whether the person setting this thing up is doing it correctly—have they turned on the right settings and turned off the wrong settings? The answer, according to these 2,000 you said are exposed, is obviously no. Another problem with it is some of these were set up 15 or 20 years ago and just never touched. Obviously, security has evolved a lot in the past 15 or 20 years. Security is one of those fields where even in the past year, it's changed massively. So, leaving something unprotected for that long is just asking for problems. Hacker skills are evolving just as quickly as defensive skills are evolving, so if we aren't keeping up on the defense side, then the hackers are naturally going to win. It's a challenge for the good guys, per se, because we have to get a hundred things right, and if we just miss one, that's a way the attacker can get in. So, the advantage is always on their side. They need to get lucky one time. One of my favorite examples to always go over is the MGM hack. That was something that everyone heard about; it was top of the news for a long time. All their systems are pretty good, pretty secure. Casinos definitely take security very seriously. I recently was actually able to meet with the VP of operations at MGM out in Macau, and we were talking about security features in casinos. They make these things very, very hard to compromise. I think they're way more secure than healthcare environments. I think they're more secure than banks and government—everything. Casinos are a well-oiled machine. So why did MGM get hacked if it was one point of failure? One person. I think it was a help desk rep, or it was a social engineering attack. One person gave up their credentials to a phishing attack over a phone call, and that's all it took. They were able to just run through the network as soon as they had those credentials. So, it's another point that there were 10,000 security considerations going on in those casinos. They got 9,990 of them right, and the attackers found one of those 10 problems left, and they were able to just run through the network, take over everything, and shut down basically the entire city of Las Vegas for a while there. Did they have multi-factor authentication enabled? They did, but I think it was a bad configuration through—I can't remember what the provider was. I remember it was a provider with a known problem where you could bypass it if you had certain controls or if you did something. I don't remember the details of it, but they did have multi-factor authentication enabled. Not all multi-factor authentication works properly all the time. Of course, with interoperability, if I'm a device manufacturer, what are some of the things I can do or consider to make sure my device is securely interoperable? The first point, and this is probably the most important one, is checking anything that comes into the device. Any data that is moved from a secondary location to the device needs to be checked and validated. Data authentication is one of the primary security controls that the FDA calls out. Authentication is normally thought of as identifying yourself as a user or an entity identifying itself, but it can also be verifying the source and integrity of information as it comes into a product. So, this is like data integrity with a digital signature or something. The FDA sort of leans away from cyclic redundancy checks, which are essentially just hashing a bit of information to make sure those came out from the 1960s or something; it's super old. There are other ways to do this now, but we just need to verify that data coming in is what we expect it to be. On the other side of that, while that's going to protect the device, we need to protect what the device is connected to. We have to protect the EMR system. If you look up vulnerabilities in DICOM servers, you'll see hundreds of pages pop up from security researchers publishing articles on how they hacked into popular EMR systems. So, inversely, we need to check anything leaving the device. It may be the case that the device lets you put in a bunch of bad data; it doesn't do anything to the device, and then when you pass it into the EMR, it crashes the whole system. So, anything entering or leaving needs to be verified as accurate and secure data. I think that's the primary concern for any data flows. And then, of course, it can get down to the specifics. If you have a USB port, there are all these controls. If you have an Ethernet port, there are all these controls. But the general rule is data integrity. I was talking to someone a couple of days ago, and they were saying the future of healthcare, which goes back to your previous point about a centralized source of truth, is going to be on the blockchain. I don't know about that. I don't think it would be a bad idea exactly, I just think if blockchain technology was really going to take off, it would have done it by now. I feel like there is a use case for it. It's pretty secure; it's very hard to forge an action, which gets down to when we're looking at medical device threats, that brings up threat modeling. Repudiation, proving that an action was taken by a legitimate source, does fix that problem. So, I don't think it would be a bad idea, but I don't think that the implementation would be very widespread because if it was going to be widespread, we would have seen it by now. There are all sorts of talks about how we can use the blockchain for cryptocurrency, for voting, for healthcare, real estate—all this stuff—but none of it ever happens. So, maybe I'm wrong; maybe it's still just taking off, but I don't think it's going to happen. I guess that's a good point because if healthcare systems worldwide are still so analog, getting all the way to blockchain implementations is pretty far off, if it will even happen. Blockchain is not a new thing; it's been around for a long time, so I feel like it's had time to grow and mature. AI is a great example. AI is still a pretty new thing, or I guess modern, really effective AI, and that has taken off. I mean, that's in every industry; it grew like wildfire. Everyone uses AI; it's in every system, every industry, every product now. So, that's an example of a technology that comes out where people go, \