Uploaded byanirudh duggal
Medical device security_anirudh
- Medical devices range greatly in size and cost, from small and inexpensive devices worn on the body to large and expensive equipment like patient monitors. - Hospitals face challenges in securing these increasingly networked and mobile medical devices from cyber attacks due to lack of funding, outdated infrastructure, and lack of skilled security personnel. - The HL7 protocol is commonly used in medical devices to transmit patient data, but was designed in the 1980s and has security vulnerabilities that could allow attackers to access and manipulate sensitive health information if devices are connected to networks without proper protections.
More Related Content
Similar to Medical device security_anirudh
![[Wroclaw #6] Medical device security](https://cdn.slidesharecdn.com/ss_thumbnails/medicaldevicesecurityowaspnopictures-170531065557-thumbnail.jpg?width=640&height=640&fit=bounds)
Medical device security_anirudh
- 1. Medical device security --Anirudh Duggal
- 2. Agenda • What isa medical device? • Range of medical devices • Challenges • Besides challenges • Device attacks • Network attacks • Understanding the HL7 message • Manipulating the HL7 message
- 3. What is amedical device? • A medical device is an instrument, apparatus, implant, in vitro reagent, or similar or related article that is used to diagnose, prevent, or treat disease or other conditions, and does not achieve its purposes through chemical action within or on the body (which would make it a drug) -- wiki
- 4. Range of devices Cost:Rs 250 115 (50% off) Fits in pocket Cost: can reach up to 3 million $ Size: about the size of a truck (don’t ask the weight ;) )
- 5. And the memory Ahospital data center… A simple DIY device
- 6. And………. • Patient monitors •Insulin monitors • Pacemakers • Heart rate devices • “smart bands” • Home monitoring solutions
- 7. The impact ofa breach / attack • Privacy • Financial – a medical record fetches 32x a credit card record • Physical?
- 8. Everything’s changing…. Fast… •Everyone wants mobility (patient, doctors, nurses, clinicians) • Diagnostics • Big data analysis • Information gathering
- 9. So why notbuy them and start hacking? • Cost: $$$ to $$$$$$$$ • License • And you need domain knowledge
- 10. A typical hospitalscenario EMR (electronic medical record) Patient monitors LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
- 11. A typical patientmonitor Lan / WiFI TCP / IP HL7 Serial ports EMR Other peripheral devices USB
- 12. From a hospitalperspective • If it works – its all good • Cybersecurity needs more investment and skilled individuals • Vendors should take care of all security issues • “why will someone attack a hospital computer – go hack NASA” • “we are doctors, not cyber warriors”
- 13. Hospitals need tounderstand • Cybersecurity != more money BUT Cybersecurity == better functioning • Risks of a cyber attack • Patching is a problem, but absolutely worth it • Having IDS / IPS • Say no to outdated infrastructure (this is changing rapidly )
- 14. Securing these devices •Having a policy in place – cybersecurity policy anyone ? • DO NOT CONNECT THESE DEVICES TO THE INTERNET • Make sure the systems are patched • Know your hospital ( public and private networks anyone? )
- 15. Policies / agenciesin place • FDA • HIPAA
- 16. Diving into medicaldevices • They have an OS (sometimes ) • They have connectivity ( Fuzzers ;) ) • They do have logical errors • Protocols • Compare the low end devices to IOT devices • Can crash / misbehave
- 17. Potential entry points •Wifi / Lan • Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire • Protocols
- 18. Challenges with thesedevices • Servicing • Uptime • Cost
- 19. Technical issues observedon the ground • Lack of encryption between the devices • Lack of skilled personnel
- 20. What is HL7? •Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989 • FHIR is the next gen
- 21. HL7 2.x • Mostpopular HL7 version • New messages / fields added
- 22.
- 23.
- 24.
Editor's Notes
- #5 This is to break the notion that medical devices are just pumps, oximeters, heart rate sensors. The devices can be as simple as a thermometer or as sophisticated as a MRI machine which has many computers working synchronously.
- #6 To emphasize more on the fact that these devices hold much memory, be it processing or data collection, these devices are evolving very quick
- #7 Besides hospital environments there are many medical devices that as general population, are not aware of. They may be given on case to case basis.
- #8 To explain that there is a rise in the security events around the medical devices, besides gaining access to confidential information attackers can harm the patient directly. e.g. the insulin pump hacks demonstrated at blackhat showed how an attacker can hack into insulin pumps. In a hospital environment there are other devices say heart rate monitor, oximeter ; these devices are being targeted now.
- #9 The growing trend of introducing mobility to the existing solutions. With diverse range of applications these mobile devices (Android and IOS tablets) can be considered a medical device. Patient monitors, heart rate monitors, blood test machines. A lot of information is needed while taking life saving decisions and accurate diagnostics. This requires data.
- #10 Like any critical infrastructure (scada, grid, nuclear plants) an anomaly in these systems can harm people / lives. DO NOT attack any infrastructure without prior knowledge of the system. A simple fuzz on the patient monitor can potentially break the system. Have a controlled environment. Also it would hold much value to “know” what you’re testing. This helps in understanding the system better and also creating better attack scenario.
- #11 This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not. The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
- #12 The picture is there to depict a patient monitor, you can replace the same with a tablet / mobile device, the focus here is on the hospitals and the security inside them so we avoid having a mobile device.
- #13 The common assumptions / myths on the hospitals. There is a huge gap in understanding the risks on the infrastructure. It may sound like a movie but it is possible to take down the entire infrastructure by manipulating subtle parameters in the devices and the traffic that flows between them.
- #14 To understand that cyber security is a bigger risk more than ever. Even though we are pushing towards affordable healthcare we cannot neglect / undermine the need for security in hospitals.
- #15 To understand that everything cannot stay “just working”. An active maintenance plan is needed, if possible a system that manages inventory in terms of software and the patches available.
- #16 Healthcare is a regulated industry and most of the major vendors have to compliant with them.
- #17 To just give an overview that these are more like IOT devices. They have the same properties like those of a computer but with much less memory.
- #18 To compare them to an IOT device but with much enhanced capacity, these RTOS devices have a dedicated program and usually does not run an off the shelf OS.
- #19 To understand the perspective on why we cannot just start replace these devices. Most of them are critical for the patient and have to be running 24x7. Also these devices require much investment.
- #20 It is often observed that the hospitals do disable encryption on the devices for interoperability. This is a high risk and should be avoided. Like banking domain we do need more cyber security and people available in case of a breach.