terror! See what the hackers did after they invaded the medical device.

Release date: 2016-05-23

In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minnesota, to a mission at the Mayo Clinic, the world's largest non-profit, general medical facility. Rios is a "white hat" hacker, meaning that customers hire people like him to hack into their computer systems. His client list includes the Pentagon, major defense contractors, Microsoft, Google and other names that he could not easily disclose. He played with weapons systems, aircraft parts and even power grids, invading the network of Washington's largest utility area, showing officials how they can improve public safety. In contrast, the Mayo Clinic's mission is much flatter. He suspects that he only has to do some routine work to find loopholes, and that he can work alone in a clean and quiet room for a week.

But when he arrived here, he was surprised to find that the conference room was full of familiar faces. The Mayo Clinic has assembled an all-star lineup of about a dozen computer geeks, investigators from some of the country's largest cybersecurity companies, and Black Hat Technology and the annual hacking conference (Def Con). The type of hacker who was shocked at this type of conference. The researchers were divided into groups and hospital administrators placed about 40 different medical devices in front of them. Do everything you can to destroy and make all the hacking methods to attack them - this is the instruction that the researchers received.

Today's medical devices are networked, like laptops and smartphones, which run standard operating systems and live on the Internet. Like other components of the Internet of Things, including car and garden sprinklers, they are connected to the server and many devices can be remotely controlled. For Rios, one thing that became apparent was that hospital managers did have many reasons to worry about hackers.

Rios said: "Every day, the scene is like every piece of equipment on the menu is crushed. The situation is very bad." These working groups did not have time to delve into the weaknesses of the devices they found. This is partly because they have found too many of these problems—unprotected operating systems, universal passwords that cannot be changed, and so on.

The Mayo Clinic, which found problems from the intrusion of these white-hat hackers, introduced new security requirements to its medical device suppliers, requiring each device to be tested before signing a purchase contract to ensure they meet the standards. Rios expressed his appreciation for the hospital's actions, but he knew that only a handful of hospitals had enough resources and influence to do this, and he was already convinced when he completed the work: the hospital will sooner or later If you are hacked, you will be hurt. Because of his professional relationships, he gained the privilege of diving into sensitive industries, and hospitals seem to be at least 10 years behind standard safety standards. Rios said: "Someone will take further action. As long as someone starts to try, they can do this. The only way to stop them from starting is to expect them to discover with their conscience."

Rios is 37 years old. He played for the US Marine Corps and participated in the Iraq war. During his service with the Marine Corps, Rios worked for the Signal Intelligence Department and later made an errand at the US Department of Defense Information Systems. His home office was crowded with computers, a welding machine and a lot of medical equipment.

Shortly after completing his work at the Mayo Clinic, Rios ordered his first medical device, a Symbiq infusion pump made by Hospira. He didn't deliberately investigate a particular manufacturer or product model; he just happened to see a device on eBay that sold for about $100. Is it legal to buy such a device without some permission? He is confused.

Infusion pumps are almost always visible in every ward, usually they are attached to a metal frame beside the patient's bed, automatically injecting intravenous infusions, injectable drugs or other fluids into the patient's bloodstream. Hospira was acquired by Pfizer in 2015, which dominates the infusion pump market. On the company's website, an article explains that this "intelligent infusion pump" aims to improve patient safety by automating intravenous drug delivery. The article said that improper infusion accounted for 56% of all medication errors.

Rios connected the purchased infusion pump to the network and found that remote control of the device and "press" the button on the touch screen can be done, just like someone is actually operating in front of the device. The instrument can be set to input the entire vial into the patient. He said that if a doctor or nurse is standing in front of the instrument, it may be found that the device is remotely controlled, and this input can be stopped before the entire bottle of water drops. However, if the hospital staff is responsible for looking after the infusion pump at the centralized monitoring station, it will not Notice this.

In the spring of 2014, Rios finalized his findings and sent them to the Industrial Control Systems Network Emergency Response Team (ICS-CERT) under the US Department of Homeland Security. He listed the weaknesses he found and suggested that Hospira conduct further analysis to answer two questions: Is there the same vulnerability issue in other Hospira devices? What are the potential consequences of this vulnerability? The US Department of Homeland Security turned to the US Food and Drug Administration (FDA), which transferred the report to Hospira. A few months later, Rios did not receive any response. Rios said: "The FDA seems to wait until someone is killed. "Okay, yes, this is a problem we need to worry about."

Rios is one of a small group of people who have conducted independent investigations in the field of medical devices in recent years. They use the security vulnerabilities they have discovered to make a huge impact. Jay Radcliffe, a researcher and a diabetic, showed up at the 2011 annual hacking conference to show the audience how he manipulated his Medtronic insulin pump to release it. A potentially fatal dose. The following year, Barnaby Jack, a New Zealand hacker, showed how he could remotely invade a pacemaker and make it a dangerous tremor at a meeting in Australia. In 2013, Jack died of drug overdose the week before the original Black Hat Technology Conference. He had promised to announce at the conference a system that would accurately position any wirelessly connected insulin pump within a radius of 90 meters and then change the insulin dose administered by these devices.

This type of attack has angered device manufacturers and hospital administrators, who say that the hacking of such performances has caused the public to stay away from the technology that far outweighs the disadvantages because of panic. At the 2014 industry forum, information technology executives at a hospital slammed Rios and other researchers, saying they were hysterically igniting without any patient injury accidents attributable to the lax security of medical device networks. . Rick Hampton, wireless communications manager at the Partners HealthCare System, said: "I am very grateful that you want to get involved, but frankly, you are in the National Enquirer. The title that was drafted in the weekly magazine brought only problems, but it didn’t have any effect.” Another time, in a conference call with many industry executives and federal officials, equipment vendors shouted at Rios. .

Rios said: "All of their equipment is not well-known, all systems are not well-known. All clinical applications are also misnamed - but no one cares. This is ridiculous, right? Anyone trying to prove this situation is reasonable Not living in the real world, they live in a fantasy."

In the fall of 2014, analysts at TrapX Security, based in San Mateo, Calif., began installing software to track hacking of medical devices in more than 60 hospitals. TrapX creates virtual copies of specific medical devices and then installs them as if they were online and running. For hackers, the operating system of the virtual CT scanner installed by TrapX looks really no different. However, virtual devices allow TrapX to monitor hackers' activities throughout the hospital network. Six months later, TrapX concluded that all hospitals had medical devices that had been infected with malware.

In a number of cases, hackers have carried out a “spear phishing” attack on hospital staff, enticing them to open emails that appear to be from known senders, and when they are hooked, the virus infects the hospital. computer. In one case, the hacker infiltrated a computer at a nurse's station, where it began spreading malware throughout the network and eventually slid into radioactive instruments, blood gas analyzers, and other devices. Many instruments run cheap, old operating systems such as Windows XP and even Windows 2000. The hospital's anti-virus protection system quickly cleaned the computer, but these medical devices did not have such a good defense system.

Carl Wright, general manager of TrapX, said the hospitals involved in the study relied on equipment manufacturers to maintain the safety of the instrument. This service is not regular and is responsive rather than preventive. Wright said: "Medical devices don't warn health care providers when they are attacked. They don't have self-protection at all." Wright used to be an information security officer for the US military.

When a hacker invades a device, they lurk there and use the instrument as a permanent base to detect the entire hospital network from there. Wright said their goal is to steal personal medical data.

Medical files often contain credit card information, as well as social security numbers, addresses, birthdays, family relationships, and medical history—this information can be used to create false identities and credit lines to enforce insurance fraud and even extortion. The price of a credit card number on the online black market is often no more than $10; and the medical file can sell 10 times its price. For hackers, what they care about is the resale value.

TrapX analysts set up traps in the hospital to allow them to observe hackers trying to steal medical records from infected devices through infected devices. Wright said the tracking took them to a server in Eastern Europe, which was thought to be under the control of a notorious Russian criminal gang. In general, they will log in from the control server in Eastern Europe and invade a blood gas analyzer; then, they will enter a data source from the instrument, drag the data record back to the blood gas analyzer, and steal. Wright said that the reason why hackers can steal data through medical devices is because they found patient data that should not have appeared there in a blood gas analyzer.

In addition to this command and control malware can make data records stolen, TrapX also found a ransomware called Citadel, which can limit the use of documents by computer users, so that hackers will ask computer users to pay in order to regain access. . The researchers found that there is no evidence that hackers have actually installed ransomware on these instruments, but the mere existence of such software is unsettling.

Hospitals are generally secretive about network intrusions. Even so, there will be some sporadic reports about the damage caused by malware. In 2011, Gwinnett Medical Center, the medical center in Lawrenceville, Ga., closed all non-emergency patients for three days because of a virus that paralyzed its computer system. Cases of cybercrime have been reported by doctor offices in the United States and Australia, where hackers encrypt patient databases and request ransoms. According to a survey released by audit firm KPMG in August 2015, 81% of medical information technology executives have said that their workplace computer systems have suffered cyber attacks in the past two years.

Seeing all of this, Rios became very anxious and hoped that the federal regulator would notice the weaknesses he found on the Hospira infusion pump. In the summer of 2014, he sent a reminder to the Department of Homeland Security asking if Hospira had responded to his suggestion. According to an email from the Department of Homeland Security, the company "is not interested in verifying that other infusion pumps are vulnerable." A few weeks later, Rios found himself in a vulnerable position: lying on a bed, he couldn't move, and he had to rely entirely on an infusion pump.

At the end of July 2014, Rios began to scream at sleep, seriously disturbing his sleep, forcing him to go to the doctor, and the doctor found a polyp in his nasal cavity near the meninges. The polyp was removed - it was just a simple outpatient operation - but a few days later, Rios developed a fever and found a clear liquid flowing out of his nose.

He stayed at Stanford Hospital for two weeks, and the ward was full of medical equipment that had been invaded by him. His bed is connected to a network interface. He has a pressure band around his leg and squeezes his calf to promote blood circulation. They are also connected to a computer. He counted it. There were 16 networked devices in his ward and 8 wireless access points. Among the most prominent of these devices is the CareFusion infusion pump. This machine controls the liquid that is input into his arm. He noticed that another patient in the same room was using a Hospira infusion pump. Rios said: "I kept thinking, 'Should I tell him?'" Finally, he chose to remain silent.

When he was struggling to get out of bed, Rios pushed his infusion pump into the bathroom and took a good look here. He recalled: "I looked at the wireless network card, press the button above to see what menu I can enter." The result deepened his worries. “No matter what Wi-Fi password they use to get this infusion pump into the network, I can always crack it easily.”

In the hallway, Rios discovered a computer-controlled medicine cabinet. Doctors and nurses typically use a coded identification card to operate. But Rios knows that this system has a built-in vulnerability: a hard-coded password can open all the drawers in the cabinet. This universal password is common in many medical devices, and many of these passwords cannot be changed. Rios and a working partner have warned the Department of Homeland Security about the vulnerability of these passwords, and the agency also notified the supplier of his findings. However, they did nothing, at least in this hospital. He soon discovered that all the medicines in the drawer of this equipment were originally free to take. "At this time they have not fixed this problem, so I interviewed a few passwords, and my response is, 'I can really open it!'"

When he was discharged from the hospital, he tried to put pressure on Hospira again. He has told the federal government that he knows how to destroy these infusion pumps, but when he returns home, he decides to record a video showing how he can do it easily. He pointed the camera directly at the infusion pump's touch screen and then demonstrated how to press the button remotely, quickly break through the password protection, unlock the injector, and then manipulate it as desired. He then wrote the sample computer code and sent it to the Department of Homeland Security and the US Food and Drug Administration so they could test his work personally.

Rios said: "We have to shoot video and write exploit code that may really kill people, so that this matter can be taken seriously. Things should not be like this."

However, this has caught the attention of the FDA. In the end, after Rios warned more than a year later, the FDA issued a notice in July 2015 urging the hospital to stop using Hospira's Symbiq infusion pump, which may allow unauthorized users to control it. And change the dose of the drug delivered by the infusion pump. Suzanne Schwartz, who is responsible for coordinating cybersecurity initiatives at the FDA's Center for Medical Devices and Radiation Health, said: "This move sets a precedent. This is the first time we have recalled a product specifically for cybersecurity issues. Pfizer spokesman MacKay Jimeson said: "In clinical situations, there are no known cases of Hospira products being hacked, and the company has worked with industry stakeholders to ensure that this will not happen. occur."

The medical research community did not celebrate the victory because of this announcement. Hospira said it will work with suppliers to correct any problems, and the Symbiq model has been removed from the market. However, the FDA's announcement has nothing more to do with it: it has not forced the company to repair the instruments already used in hospitals and clinics, nor does it require the company to prove that similar network security vulnerabilities do not affect other models of infusion pumps. For some researchers, the victory represented by this announcement has no real meaning.

The FDA faces a tough challenge: the rules it has to develop must be sufficiently specific to make it work, and must be universal enough to be more persistent than the threat of constant mutation, and the speed of revision of the rules must be Products that are certified by the agency are updated much faster. In October 2014, the agency finalized a set of guidelines, recommendations – not requirements – that medical device manufacturers consider cybersecurity risks during their design and development phases, and require them to submit documentation to the agency to confirm them. Any potential risks that have been discovered. However, this obligation does not only fall on the shoulders of manufacturers; Schwartz stressed that health care providers and regulators must also be involved in solving this problem, she called this challenge "a shared responsibility and a share Ownership."

When it comes to sharing responsibility, the trouble is coming. After the announcement of the guidelines, the American Hospital Association sent a letter to the FDA saying that health care providers are happy to do their part, but it urged the agency to take more steps to "make equipment manufacturers a network." Safety takes responsibility." According to the association, equipment suppliers must react more quickly to weaknesses and fix problems as they occur. At the same time, equipment vendors point out that criminals can't invade their equipment if they can't break through the firewalls of hospitals and clinics first; then, in the case of healthcare providers who clearly need to enhance their own network protection measures, why? Everyone is talking about the regulation of equipment? After the FDA issued a notice, Hospira listed hospital firewall and network security as "the main line of defense against tampering with medical equipment" in a statement, and said that its own internal protection is only "additional additional safety factor." Others believe that security researchers such as Rios are forcing security measures in this industry to hinder patient care.

At an FDA-sponsored forum, an anesthesiologist from the Massachusetts General Hospital in Boston cited an automated medicine cabinet (similar to the one that Rios successfully opened) as an example to illustrate his point. After Rios told the government that these passwords were vulnerable, some hospitals began implementing fingerprint scanning as an alternate security measure. Dr. Julian Goldman said: “Now, people in the operating room usually wear gloves.” He pointed out that he was busy picking up his gloves, playing with drawers for medicines, and ensuring contamination. The blood doesn't stick to the bare hands, and then put on the gloves again – it's not only troublesome, but it can also be a dangerous, time-consuming act. Goldman said: "When you turn around and want to reach these drawers, you hear the sound of the turkish, they are locked - just when you want to open the drawer to take an important medicine. ."

Rios said that as long as the manufacturer or hospital really acts, he doesn't care how they fix it. Hospira's case made him believe that the only way to achieve this goal is to continue to pressure manufacturers and shout out their names until they are forced to pay attention to the issue. The automatic medicine cabinet is not the only device he found using hard-coded passwords; Rios and research partner Terry McCorkle found that about 300 different devices were made by about 40 different companies. This is the same weakness. When the government issued a notice on this issue, the names of these suppliers were not announced. Rios said that these vendors did not fix the password. He said: "The status quo tells me that they will not take any action if they do not pressure a particular supplier."

Since the FDA announcement on Hospira was released in July 2015, boxed medical equipment has been continuously delivered to Rios' doorstep. No one paid for him to invade his system, and no one reimbursed him. He said: "I am very fortunate, I have been very successful, so buying a $2,000 infusion pump is no big deal for me. I will study it if I have time."

However, for new independent researchers, the inability to access equipment may be an obstacle to preventing them from entering the research threshold. Infusion pumps are relatively inexpensive, but MRI equipment costs at least tens of thousands of dollars. And the purchase of radioactive equipment also requires a special permit. To encourage more people to research these devices, Rios is working hard to create a library that rents medical equipment; he and his research partners have begun lobbying hospitals to use old equipment, and they want to buy new equipment through crowdfunding.

Compared with Rios' efforts, the flaws surrounding the Hospira announcement in 2015 may be more attractive to new researchers. Kevin Fu, head of engineering and engineering at the University of Michigan's Archimedes Research Center for Medical Device Security, has been investigating medical device safety issues for more than a decade. He found interest in the field in 2015. More intense than ever. He said: "Every day I hear a name that I have never heard of before. This person has never done research related to medical equipment before. Then unexpectedly, they found some problems."

On a sunny autumn day, Rios hurriedly bought a cup of iced coffee from a Starbucks city center. He wants to cheer himself up. Maybe when he is free, he will grab a device in the office and see what holes he can find inside. One of these devices is attracting him strongly, just as the request is hacked. After leaving the hospital in 2014, he strolled around the Internet and found a CareFusion infusion pump that was exactly the same as the one that had bound him for two weeks. Now, the equipment is standing on the side of the filing cabinet in his office.

"It is my next goal," Rios said.

Source: Sohu Technology

Smart Home

Shenzhen BIO Technology Co.,Ltd. , https://www.huifantech.com