How Heartbleed Affects Medical Devices
Security Expert Explains Risk Mitigation
One of the biggest misunderstandings about the Heartbleed bug in the healthcare sector, even three months after it was discovered, is that it only affects websites and Web servers. In fact, medical devices are also still facing a lingering risk for the vulnerability, says security expert Mike Ahmadi.
"Anything that has the affected versions of OpenSSL/TLS installed on it - that means any medical device, and medical system, MRI, server, any handheld devices that are on a healthcare network - is affected," explains Ahmadi, global director of medical security at Codenomicon, the software testing firm that discovered the Heartbleed bug in April.
The biggest ongoing risk is that healthcare organizations are unaware of how affected they are, he says in an interview with Information Security Media Group [transcript below]. "And once they do discover that, it's not as simple as issuing a patch because the devices have to take care of patients and work all the time.
In the interview, Ahmadi also discusses:
- How the recent Internet Explorer vulnerability still potentially puts medical devices at risk;
- Steps healthcare organizations can take to mitigate cybersecurity risks to medical devices;
- The biggest emerging cybersecurity threats facing medical devices.
Ahmadi is the global director of medical security at Codenomicon, a firm that tests software for its security robustness. He has extensive background in project management and information systems for projects addressing cybersecurity in multiple industries, including energy, industrial automation and healthcare. He serves as a member of the Medical Device Innovation, Safety, and Security Consortium and is a member of the Association for the Advancement of Medical Instrumentation (AAMI) Medical Device Security Working Group and Wireless Strategy Task Force. He also serves on the U.S. Secret Service Electronic Crimes Task Advisory Board.
Medical Device Risks
MARIANNE KOLBASUK MCGEE: What are the biggest risks that healthcare organizations are still facing concerning the Heartbleed bug and why?
MIKE AHMADI: Let's start by saying that one of the biggest misunderstandings is that it really only effects websites and web servers. Anything that has the effected versions of Open SSL or TLS installed on it, that means any medical device, system, web server, MRI, hand-held devices...any sort of embedded system that is on a healthcare network is affected either on the client or server side. A lot of people think that it's really limited to just the web servers. I think the biggest issue is that right now a lot of health organizations are not even fully aware of how many devices in their networks or organization are actually infected by the bug. In many cases, when they build systems, they for example may buy a real-time operating system that has an infected version of Open SSL embedded in it and they are not even aware of it. Or, [organizations] just simply [have] not thought past the web server.
I think the biggest risk right now is that they're not even aware of how much they are affected. I think the other thing is that once they do discover that, then it's not as simple as issuing the patch in the healthcare space because devices actually have to take care of patients and work every time. Sometimes when you patch something, let's say your operating system on computer or a piece of software - and we've all gone through this - sometimes the computer doesn't reboot. It stops working and that happens all the time. Well, if that happens in the case of doing a patch to a medical device, then it stops working, that means that it puts patients at risk. So it's not a simple issue...they have to go through a process of actually validating that the patch itself is going to not cause another issue. Those are some serious issues that I see. It could be years before it's resolved.
Identifying Infected Devices
MCGEE: How should healthcare organizations go about identifying the medical devices that may be at risk with Heartbleed and what should they do to mitigate those risks?
AHMADI: There are a lot of different ways they could do it. Of course we [Codenomicon] discovered it because we were testing a new feature in our software. Our software is actually used by the Food and Drug Administration and currently quite a number of medical device organizations, and at least one provider organization today to actually test devices. If they were to use our software, they could discover whether or not the Heartbleed bug is present because that is how we discovered it. They could also do static binary analysis, and our company has actually issued a free tool at AppCheck.codenomicon.com where you can actually upload a compiled binary or firmware image, if you have that available to you, and it will tell you whether or not it's infected. Again, that is something we're offering as a free service right now. Additionally, there are other organizations that have come out with tools. But I think the first step is to go through and check everything. Find out anything that is running any sort of communications stack - those really should be checked. Unfortunately, in the hospital space today, that's a lot of devices, [and include] even blood pressure monitors or cuffs. All of those things that you see that are being used or tried today, they communicate over Wi-Fi networks and often times they use Open SSL. So start by checking everything and then once you do, you've got to go to the device manufacturers and [ask for] a fix. If they can't get the fix right away, they are going to have to figure out another way to mitigate against that in their own relation.
Vulnerable to Bugs
MCGEE: Do you think medical devices that are web-enabled are vulnerable to this bug from Internet Explorer?
AHMADI: When you're talking about medical devices on a network, that's a really broad category. So a small hand-held patient monitor can be a medical device; a pacemaker could be a kind of medical device; an MRI could be a medical device. A truck delivery system, which is a big workstation, could be a medical device. Some of these are running full-blown operating systems and browsers and such. Those devices are potentially easily infected, others may not be. Depending on how the hospital actually segments their network, some organizations, believe it or not, run everything on one network. Let's say, for example, somebody enters through a browser and sends a worm into the network that can affect multiple types of devices. It may actually work its way into any of a number of devices whether or not they're even running a browser, because it's simply moves through the network, finds something that it can infect and infects it. There is always the possibility that this could infect a lot of devices, but again, its speculation. You can't discount the creativity of a potential attacker.
MCGEE: What would you suggest healthcare organizations do to mitigate those risks to their environments and their medical devices?
AHMADI: I think the first issue that we're running into is that a lot of health organizations are just not aware of the vulnerabilities in their environment. The first thing of course is find out exactly where you're vulnerable or what you're vulnerable to. Then once you actually have an idea of what you're vulnerable to, you can come up with an idea of how you're going to mitigate against those risks. So for example, you [know you're] vulnerable to this particular type of an attack sent on your network, then potentially you might segment that network so that it can avoid that attack. Or put some sort of a rule in a firewall, or simply go to a vendor and make a change to it so this attack can no longer affect you. But again, unless you have an idea where your vulnerabilities are, it's very difficult for you to determine what the fixes are. For example, when you go to work on a house because there is something that's not working or broken, you don't just simply pull out a [nail] gun and just start putting up nails randomly. You determine what you've broken first and then that's what you fix. The first step is detection.
End of XP Support
MCGEE: What do you think are the biggest security concerns facing medical devices due to the end support by Microsoft of the Windows XP operating system?
AHMADI: Windows XP is very prevalent in the healthcare space, not only on workstations but on medical devices themselves. For example, when you're looking at the interface on some patient monitors... underneath [that] is actually Windows XP, as we discovered. So I think with any version of an operating system that Microsoft ends support for, they always give adequate notice when they do this. Many of those devices are still functional and operating and of course if they're working, most organizations are not going to even consider changing them out or fixing them. But because there is no support for the operating system, that means if [a] serious problem [is discovered], well it's not a supported operating system anymore so therefore there would potentially never be a patch issued for that. That means [healthcare organizations] have to cross their fingers and hope that between now and when the device is no longer functional, that no additional security issues arise in the operating system. It is a time bomb at this point.
Emerging Cybersecurity Threats
MCGEE: What do you think are the biggest emerging cybersecurity threats facing medical devices?
AHMADI: The thing that concerns me the most is that there is a lot of very cool things medical devices can do. It's actually great. For example, you can now make an adjustment to a pacemaker using radio frequency, where in the old days you actually had to bore a hole through [the patient's] chest. As you know, that creates a much better quality of life. You can do things like monitor patients over the internet while they sit in their own homes. There seems to be this new move towards a lot more home-based healthcare in devices. As these devices move out of a network, which has some sort of control exerted over it into people's homes, all of a sudden you have a network medical device, which is in an environment that you really have no idea what level of protection security there is. So, as that continues to happen, and technology continues to grow, without them being properly secured as they move out into the world, you're potentially creating a world of highly unsecure devices. Again, if somebody were to discover some sort of an attack that can access these networks, this 'Internet of Medical Things,' if you will, then they could potentially cause harm to very large population quite easily. So I guess the biggest emerging threat is the fact that they're building all this stuff, but we're really not seeing the level of details and attention being given to the security of these devices that should be in place.