2 Tales of Device-Related Risks to PatientsMedtronic Device Alerts Issued; Researchers Find Millions of Exposed Medical Images
Recent disclosures about security issues pertaining to certain medical devices as well as storage devices used in healthcare serve as reminders of the potential risks to patients that must be mitigated.
Those disclosures include alerts about vulnerabilities identified by researchers in a Medtronic product used by cardiac patients and a report about millions of unsecured medical images containing patient identifying information found exposed on the internet.
On Monday, the Cybersecurity and Infrastructure Security Agency and medical device maker Medtronic issued alerts about vulnerabilities in the Medtronic MyCareLink Smart 25000 Patient Reader product used by some patients with cardiac devices, such as pacemakers, to communicate with their doctors in between office visits.
If exploited, the vulnerabilities - including improper authentication, heap-based buffer overflow, and Time-of-check Time-of-use Race Condition - could allow an unauthorized individual to modify or fabricate data, allowing the attacker to control a cardiac device, CISA says in its alert.
So far, CISA notes, there are no known exploits targeting these vulnerabilities. And the flaws are not remotely exploitable.
Medtronic reports that it does not know of any related cyberattacks or unauthorized access to patient data or of any patient who has been harmed as a result of the vulnerabilities.
The Medtronic vulnerabilities were identified by two groups of researchers: a team at Tel Aviv, Israel-based Sternum and a team from the University of California, Santa Barbara; the University of Florida and the University of Michigan.
So, how serious are the Medtronic issues in terms of potential data security and patient safety risks?
"This exploitation requires deep engineering knowledge of the device, and physical proximity to extract the pacemaker's data," says a statement provided to Information Security Media Group by researchers Sara Rampazzi and Kevin Fu of the University of Michigan's Archimedes Center for Medical Device Security and the research team at the University of California, Santa Barbara.
"Furthermore, the collected data that can include personal information and highly-technical cardiac data, needs to be interpreted by a doctor. Thus, we expect the risk to the patient overall to be low."
Medtronic says a firmware update will eliminate the identified vulnerabilities. It's available by updating the MyCareLink Smart app via the associated mobile application store. "Upgrading to the latest v5.2 mobile application version will ensure the Patient Reader is also updated on next use. The user's smart phone must be updated to the following operating system version for the patches to be applied: iOS 10 and above; Android 6.0 and above," Medtronic notes.
Many flawed medical devices can be vulnerable to intrusion if they're not adequately protected, the University of Michigan and University of California researchers tell ISMG.
"Preventing hackers from disabling or taking control of electronic devices is an ongoing challenge because malicious actors tend to be steps ahead of researchers and manufacturers," they say in the statement. "Our goal as researchers is to develop techniques to incorporate security properties early in the design phase of a product to prevent potential future vulnerabilities."
Elad Luz, who also has previously identified a variety of vulnerabilities in other medical devices as head of security research at security vendor CyberMDX, says that improper authentication "is an issue that is more common for medical devices and usually implies a design flaw, meaning the security implications were not thought about during the design phase."
The other flaws identified in the Medtronic device "are most likely human errors, like bugs in the code. These are reported on software from all sectors," he notes.
Luz notes that, given that medical devices tend to have long lifespans, vendors should examine ways for improving the security of their legacy devices that are still being used.
"Legacy devices will more commonly suffer from issues such as lack of authentication and hard-coded credentials but, while newer products may use more secure protocols, they might still suffer from improper implementations, improper configurations and use of those newer secure protocols."
'Leaked' Medical Images
Meanwhile, on Tuesday, researchers at security vendor CybelAngel in a new report said they have detected more than 45 million unique medical images accessible on the internet via about 2,000 unprotected connected storage devices with ties to medical centers, hospitals, clinics and doctors' offices - large and small - in 67 countries.
In most cases, the identified leaking device was a network-attached storage solution, or NAS, the report notes. Exposed images include patient X-rays and CT scans containing information such as patients' identities and health information.
A NAS generally uses the FTP or SMB protocol and serves as a web access to connect to the device, the report states. "This web access is password-protected, but these devices may have security flaws that enable guest access through a file-sharing protocol. Sometimes the operating system itself may open a guest access on the distant device; this is a design feature that permits different systems to work together."
The CybelAngel Analyst Team embarked on a study of medical data by examining Digital Imaging and Communications in Medicine, or DICOM, which is a protocol and an international image standard, the report notes.
The six-month study by CybelAngel found:
- Encryption and other security features are typically not enabled for images stored and exchanged as DICOM files;
- Misconfigured NAS devices are a major root cause of exposure, leaving DICOM caches exposed;
- Third-party vendors are often involved with the exposures.
The CybelAngel report notes that, in one case, researchers found that "a paid service advertising 'secure' DICOM image handling was, itself, running on unprotected infrastructure and CybelAngel detected malicious code already running on the service provider's servers."
Other top causes for these data leaks include failure to change a device default password at time of implementation and allowing "guest" access versus secure password protection, David Sygula, senior cybersecurity analyst at CybelAngel, tells ISMG.
"CybelAngel scanned and detected those medical files that were publicly accessible - servers that were open without restricted access. If someone were to use the default/manufacturer's password, we believe the number of exposed images could easily be as much as eight to 10 times greater," he notes.
Other researchers have also previously identified and warned of exposed medical images on the internet.
For example, in August, the American College of Radiology, the Radiological Society of North America and the Society for Imaging Informatics in Medicine, issued a joint warning that patient identifiers embedded in medical images used for online presentations are at risk of inadvertent discovery by advanced web-crawling technologies in search engines (see: 'Hidden' PHI in Medical Images Poses Risks).
And last year, a report by security vendor Digital Shadows' Photon Research Team revealed the inadvertent online exposure of 4.7 million healthcare files - the majority being medical images - that contained patient names and other identifiers as well as details about the patient's healthcare encounter (see: 2.3 Billion Files Exposed Online: The Root Causes).
Steps to Take
To prevent medical images from being exposed on the internet, entities can take a number of measures, Sygula says.
"They should change the default password at time of implementation, enforce strong secure password practices and protections, implement DICOM's encryption and other existing, out-of-the-box security measures and conduct regular server maintenance and patching," he says.
Also, exhaustive scanning of open databases, connected storage and cloud apps can alert organizations to data leaks, he says.
"This empowers them to address leaks of sensitive and confidential data before it is breached."