Security

Imagine you're having a CT scan and malware alters the radiation levels – it's doable

WannaCry was a wake-up call for healthcare, but the sector is still terribly vulnerable to attack

By John E Dunn

63 SHARE

As memories of last May's WannaCry cyber attack fade, the healthcare sector and Britain's NHS are still deep in learning.

According to October's National Audit Office (NAO) report (PDF), 81 NHS Trusts, 603 primary care organisations and 595 GP practices in England and Wales were infected by the malware, with many others in lockdown, unable to access patient data.

WannaCry's upshot was to lock staff out of Windows computers, a bad way to learn the lesson that failing to patch old kit has consequences. But there was another, less obvious discovery: medical imaging devices (MIDs) such as Magnetic Resonance Imaging (MRI), Computed Tomography (CT) scanners, and digital imaging and communications (DICOM) workstations were badly disrupted, with serious knock-on effects for hospital workflow even when other systems had been restored.

In today's NHS, and healthcare generally, MIDs matter out of all proportion to their numbers, with some hospitals relying on perhaps half a dozen to cope with large volumes of disease, cancer and pre and post-op operation diagnostics. "It's hard to imagine life without them," a hospital consultant who wished to remain anonymous told The Register.

Costing anything from £150,000 for smaller CT scanners to millions for the latest MRI designs, these turn out to be difficult to defend. Many in the NHS are controlled through applications run from vulnerable Windows XP or 7 PCs, the former reacting to WannaCry by blue-screening, effecting an inadvertent denial-of-service.

As the NAO noted: "This equipment is generally managed by the system vendors and local trusts are not capable of applying updates themselves." The UK's health sector security hand-holders NHS Digital confirmed to the NAO that manufacturer support was often poor, leaving trusts with few defensive options beyond isolating scanners from internal networks in ways that made accessing imaging data impractical.

Denial-of-Scanning

As far as anyone knows, WannaCry's makers did all of this without even meaning to. What if they had set out to take down a hospital, or attack MIDs in a calculated way? The possibilities turn out to have been alarmingly underestimated.

For May Wang, co-founder and CTO of US IoT security firm ZingBox, the proof-of-concept attack on healthcare was Conficker in 2008, not WannaCry in 2017.

"You don't hear about it but the impact of Conficker is actually bigger," says Wang. "But because not everybody is reporting it, we don't see that much impact in public."

It's a staggering thought: almost a decade after it infected hospitals around the world, including 800 PCs at a teaching hospital in Sheffield, a worm targeting a vulnerability in an obsolete version of Windows is still on healthcare's to-do list.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

Researching the security of medical devices in 50 US hospitals, ZingBox discovered that, sure enough, MIDs contributed half of the high-risk security issues. The underlying cause? Almost all of these systems were being controlled through Windows workstations, often flaw-ridden versions going back to XP and even 98, which reflects the age of the scanning hardware.

"Because they're using a full-blown OS, they have the capability to use a browser, download applications and to do lots of thing you are not supposed to do on an OS controlling an X-ray machine."

In the US at least, hospitals often try to partially isolate MIDs on VLANS, a strategy which quickly degrades as more devices are plugged into the same network segment.

ZingBox found that only a quarter of the devices on VLANs were medical in nature with the remainder made up of PCs, printers, and mobile devices, all vulnerable to malware that could use them as a staging post to reach MID workstations.

Compounding this is the way the number of connected and IoT-enabled medical devices is growing faster than bio-medical IT staff can keep up, says Wang. In many cases, hospitals don't even audit these devices, which makes protecting them hypothetical.

Ambulance chasing

Noticing the same vulnerabilities as ZingBox, researchers at Ben-Gurion University of the Negev in Israel decided to test out their hunch that MIDs could even be attacked directly by targeted malware.

The team's preliminary findings were published in a report (PDF) in February, which identified CT scanners as the number-one risk. These expose patients to defined amounts of radiation, a setting controlled using a configuration file whose parameters are set from a workstation application.

The EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it.

"This file is basically a list of instructions that the control unit gives to the CT in order to tell it how exactly to perform the scan, including how to move the motors, the duration, the radiation levels and more," says Tom Mahler, one of the report's lead authors.

"By manipulating these files, an attacker can potentially control exactly how the CT will work. This could be very dangerous and lead to radiation overdose, injury and possibly death."

Alternatively, attackers could attempt to mix up the scanning results, "causing mistreatment to the patient or vice versa". In neither example would the CT operator necessarily be aware that something was awry.

Although MIDs from different manufacturers use custom scanning applications, tailoring an attack for any one of these would not be difficult, confirms Mahler.

Having tested 23 different proof-of-concept attacks on MIDs in a simulated environment, Mahler and colleagues bioinformatics expert Professor Yuval Shahar, cyber security expert Professor Yuval Elovici, and and senior researcher Dr Erez Shalom have promised to demo at a security conference during 2018.

The research predates WannaCry, but that malware's appearance served as a giant finger pointing to the weak protection of MIDs and medical devices in general.

"This attack demonstrated how quickly the development of cyber attack could be – the EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it."

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

READ MORE

Adding weight, the research was conducted in conjunction with Israel's largest healthcare provider, Clalit Health Services, whose head of imaging informatics is Dr Arnon Makori, who believes, if anything, that WannaCry has been underplayed.

"It was a global wake-up call for the whole healthcare world. I believe the impact was significantly higher than reported and many more devices and systems were affected," he told The Register.

Makori blames a "lack of awareness by the manufacturing companies, conservative operating systems and device architecture and cost benefit considerations" that will only be fixed with "a whole new cybersecurity strategy".

IoT infusion

The risks aren't limited to MIDs, and recent ZingBox research outlines a load of security holes in the design of one brand of IoT-enabled infusion pump, a ubiquitous medical device used to deliver fluids into patients at their bedside.

Hard-coded credentials that could be changed at will, lousy encryption, even the ability to splash a ransom message explaining that the device had been locked – you name it, it's all there.

That means, when we talk about healthcare security, we're mainly talking about information leakage. And in this particular field, we're actually talking about life and death, about interruptions of operations and patient safety, according to ZingBox.

What Wang and Mahler have uncovered is like a version of the panic over SCADA vulnerabilities in power stations – but worse.

"Medical devices are extremely valuable. You can ransom a person's files and it is inconvenient. If you ransom a person's life you will probably get as much money as you want," says Mahler. ®

Sign up to our NewsletterGet IT in your inbox daily

63 Comments

More from The Register

As the world secures itself, so do crims: Encrypted malware on the rise, warns Sonicwall

Let's be careful out there

US Air Force probes targeted malware attack, blames... er, the US Navy? What?

War crimes trial takes a fresh twist

Israel's NSO Group: Our malware? Slurp your cloud backups plus phone data? They've misunderstood

After report claimed its sales pitches boasted of doing that

They say piracy killed the Amiga. Know what else it's killing? Malware sales. Awww, diddums

BSides LV Trojan devs give up after seeing hard work ripped off, copied between crooks

Pharma-testing biz Eurofins Scientific says it fell victim to 'new version' of malware

No data nicked in weekend attack but systems and server pulled to contain infection

Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

'I regret these actions and accept full responsibility for my mistakes'

Lazarus Group rises again from the digital grave with Hoplight malware for all

Norks trigger Uncle Sam's alarm with attack variant

Mirai botnet malware offspring graduates from uni, puts on a suit, slips into your enterprise

Isn't that what we all want for our kids, after all?

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?