[Full-disclosure] Reliable reports on attacks on medical software and IT-systems available?
pschmehl_lists at tx.rr.com
Thu Aug 12 18:48:50 BST 2010
--On Wednesday, August 11, 2010 22:48:11 -0400 Caspian at random-interrupt.org
> Some hospitals have a well guarded network. Some Medical IT systems are
> secure. Some are not. The Threat Environment for medical institutions is
> similar to any other large company, except there's the added risk of
> medical records and data being exposed- which might be handy for all
> sorts of things (think insurance fraud, blackmail, etc). The truth is,
> it doesn't make much of a difference- the attack surface is also pretty
> similar to any other large institution; so much of it depends on
> internal policy and politics, as well as the technical stuff.
Bingo! You hit the nail on the head. The only difference between medical
networks and any other network is the type of data at risk. The attacks and
attack methodologies are the same, the success rate is the same, the quality of
the risk aversion is the same. There's nothing special about medical networks
from an attack standpoint.
> Most Radiology personnel would catch on to this pretty quickly- assuming
> it was meant to be a lethal attack. Pretty much any operator who has to
> train to the level these people do should be able to spot a lethal
> attack in progress, since the attack would cause the machine to behave
> erratically. You need the equivalent of an associate's degree to be an
> x-ray tech where I am, at least, and I think it's the same for most of
> North America and Europe. Hospitals often have their own specialists who
> tend to train like pilots- a certain number of hours with a specific
> machine, and then retraining when it gets updated. IT staff are
> sometimes part of that group.
As with anything, this is only as true as the number of people who are
conscientious and the subtlety of the attack. I never meant to say that
medical personnel aren't highly trained or capable. All I'm saying is that
humans are humans. If you don't specialize in IT, you're less likely to be
aware of the risks and possible attack methodologies, but you're more likely to
detect attacks that affect things you specialize in and are aware of.
Conversely, an IT person might not recognize a faulty setting on a machine that
a medical person would immediately recognize as wrong.
We can't all be radiologists any more than we can all be computer specialists.
> This level of training may not, however, be the case for something like
> a network-enabled IV (don't laugh! they exist)- since the telemetry that
> the IV is sending to the nurse's station could be falsified, and you
> don't really need specialized staff for this type of system. The same
> goes for things like heart rate monitors, etc... This is why we have
> local audits, external audits and Audit repositories, along with node
> and program authentication as a base requirement for the IT and data
> interchange standards that I'm aware of that certify these devices.
> Obviously, audit trails are post-facto, but proper monitoring should be
> able to detect an attack in progress.
The vast majority of attacks are going to be "throw it up against the wall and
see if some sticks" type of attacks. Who knows what impact they might have on
heart monitor or a networked IV? And since most expensive equipment that
requires a separate PC controller will be running Windows, older OSes,
unpatched and without AV, the chances of a "throw it up" attack being
successful are relatively high unless you've mitigated the risk in some way.
The annual Verizon Data Breach Investigations Report is a good place to start.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
Full-Disclosure is hosted and sponsored by Secunia.