By John Bethune
It seems to be an axiom that the less you know about computers and information technology, the more likely you are to be frightened by them. Hearing about worms, viruses, Trojan horses, spear phishing, and DoS attacks, the uninitiated are likely to run for the hills. Fortunately, those who work with IT on a regular basis have a more balanced perspective on the vulnerabilities of computerized systems. The threat is real, but it isn’t Armageddon.
This contrast in attitudes was highlighted last month when, on the same day, warnings about security vulnerabilities in networked medical devices were published by two government agencies in the United States—the FDA and the ominous-sounding Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). As noted in this issue’s Networking column by 24×7 associate editor Kurt Woock, those warnings are important, but they come as no real shock to most biomed departments.
You wouldn’t know that by following the mainstream media’s coverage. The CNN headline for its version of the story was all too typical of the alarmist treatment given the story: “How Hackers Can Kill You.” Such over-the-top sensationalism would be amusing if it didn’t feed the incorrect and unfair but always popular media meme that hospitals, which are supposed to save lives, are instead endangering them.
If the big media took the time to actually talk with people in clinical engineering, biomed, and IT departments across the country, they would find, as 24×7 did, that calmer heads prevail there. Yes, they worry about cybersecurity. But for the most part, they have been worrying about it for years now, and have developed strong defenses against attacks.
My point is not to deny that networked medical devices are vulnerable. Clearly, they are. That has been demonstrated recently, for instance, by penetration tests performed by information security firm SecureState. As reported by the company’s research director, Matt Neely, that testing uncovered the following top five areas of concern:
1) Denial of service vulnerabilities. DoS attacks work by flooding networks with requests for information. As Neely notes, medical devices are not built to tolerate even moderate traffic flow that would not faze a modern PC.
2) Weak and backdoor passwords. Not only do medical devices often come with weak default passwords, they can also have built-in backdoor passwords that cannot be changed by the hospital.
3) Missing security patches. It’s bad enough that medical equipment often fails to receive software updates after deployment, but many devices are still running Windows NT and Windows 2000, which are no longer supported by Microsoft.
4) Unencrypted management traffic. The tools used to administer devices remotely are often unencrypted, and are therefore easily compromised, especially on WiFi networks.
5) Web application vulnerabilities. The growing popularity of web interfaces for network administration opens up exploits such as cross-site scripting and SQL injection.
As Professor William Hyman wrote last month on the AAMI blog, “There is nothing very new conceptually” in the FDA’s warning. But as he added, reminders of the scope of the health care cybersecurity problem are always beneficial.
All the evidence I’ve seen suggests that most health care technology management teams are well prepared for the cybersecurity onslaught. But the battle is just beginning, and they will need to remain vigilant. The threat so far is theoretical. Their challenge is to keep it that way. 24×7 Up Front July 2013
John Bethune is editorial director of 24×7. He can be reached at firstname.lastname@example.org.