How do you know your CT (or MRI, ultrasound, portable x-ray) is not hacked? Do you monitor traffic in and out of the device to look for anomalies? Do you have any visibility into the packets and traffic going to or coming from the device? Do you just assume that your hospital firewall security is taking care of everything?
If you assume your devices are protected and are not actively monitoring your medical devices, then chances are good that you have already been hacked and just don’t know it.
Why? There are a variety of reasons, but number one is that the operating system on most medical devices is very difficult to patch and keep updated against the latest security threats. Not because the device runs any special operating system – they don’t. Most run Windows or some flavor of Linux. The reason they are difficult to patch is because of FDA regulations and restrictions on the manufacturers. All medical devices must go through FDA approval and any changes from the “approved configuration” must also go through the approval process to make sure they don’t impact patient care or worse yet, actually put patients in danger.
Hence, manufactures can be slow to roll out updates and patches, while hackers are not limited by such regulations. They can evolve their attacks daily or hourly, finding new ways to exploit holes in these unpatched operating systems.
But we have a firewall!
Every organization has a firewall, even the ones that had their medical devices frozen by ransomware. Even the hospital system in England that got their records locked had a firewall. Even the Iranians had a firewall on their centrifuges before they got ruined by a virus.
Firewalls are great for protecting the devices inside your network from the threats outside your network. But they do nothing to protect your devices from threats from inside your hospital network. A hacker can easily walk in with a USB drive and slip it into any computer in an exam room or front desk when nobody is watching, and the USB drive will launch software, scan the network infect devices, phone home to a control system, and eventually can wreak havoc on your network.
Or a user can click on a malicious email that downloads malware on a computer inside the firewall and the process starts from there. Hackers have hundreds of ways to penetrate your firewall and they know how to exploit them.
So how can I protect my medical devices?
There are two steps needed to protect your medical devices – micro-segmentation of your network and active monitoring of your medical devices.
Micro-segmentation
Micro-segmentation is a fancy term for putting each medical device behind an individual firewall, and locking access down so that only known good traffic can travel down the wire from your wiring closet to the device. You can’t block all traffic – you still need to send to your PACS system, query your RIS system, get updates and tech support from your manufacturer, maybe communicate with the infusion pump. But installing and programming a firewall just for that particular device helps ensure that only valid traffic is traveling in and out of that device.
Programming and managing these firewalls and the rules for each is not a simple task. But with today’s network management orchestration tools such as FortiManager, it is much easier to great group policies based on device type, update those policies in one place, and then push them out to all your devices. For example, you can have custom policies for all your GE ultrasounds in a particular building. They all talk to the same PACS and RIS system, connect to the same wireless network, and talk to the same manufacturer. You create one policy for all GE ultrasounds and push it down to the VLAN’s that host ultrasounds. The VLAN can be connected to both wired and wireless networks across your hospital. One policy orchestrated in one place and pushed building or campus-wide.
Medical device security monitoring
Once you have firewalls protecting your devices, you can forget about them, right? WRONG! Security is an ongoing practice. What is secure today may not be secure tomorrow. Threats evolve, tactics evolve, and as any security expert is fully aware, monitoring your environment for attacks is crucial to evolving your defenses.
Does that mean you need to log into every firewall every day and check the security logs? NO! Well, you can do that if you like, but that is very resource-intensive. Security automation tools make this task much easier.
Implementing a security automation tool like FortiSIEM allows you to ingest logs from each of your medical device network segments, as well as from PACS servers, from the modalities and devices themselves if supported, and from probes on the network if you wish. The SIEM product can monitor traffic over time and allow you to build a benchmark of normal services. You can then set alarms and alerts notifying you of suspicious traffic. If your firewalls support packet inspection, they can notify your SIEM service of unusual activity or malware targeting your medical devices. You can have multiple dashboards for different people. For example, biomed can have a dashboard showing alarms, alerts, and traffic flows on the affected network segments but can be restricted to view-only mode. Your network engineering and security operations staff can have more detailed views into potential alarms and anomalies, and have the ability to modify rules, test traffic, route traffic to a sandbox environment. Your radiology or lab manager can have a dashboard showing traffic flows so they can verify increased traffic loads with increased patient loads.
What if I don’t have the manpower to monitor this traffic?
That is where a company such as SageNet comes in. We monitor traffic for hundreds of customers and over 200,000 network connections. We can monitor your traffic, investigate suspicious traffic, and notify your security team of unusual behavior that needs investigation. Our SIEM-as-a-service offering will handle the complexities and 24/7 monitoring needed to ensure your devices stay safe and secure.
How can I determine if my CT has been hacked?
Your CT (or medical device vendor) should offer tools to scan your device for malware. However, this may not always catch intrusions, especially attacks on zero-day unknown bugs in the operating system. Another way is to do packet capture and decodes of the traffic going into and out of the CT.
First you will want to look for unusual data flows. This is fairly simple to do and your existing engineers should be able to determine if traffic is going to valid devices on your network. They will know the IP address of your PACS, RIS, film printer, and other devices and if they see unusual traffic outbound for public IP addresses, or devices on your network that your CT should not be communicating with, they can further drill down into the issue, talk to the manufacturer, and determine if the traffic is normal.
In addition to looking at packet flow, you can look for unusual DNS queries, ICMP traffic, or encrypted traffic traveling to other devices. If your CT is regularly querying your DNS server for outside addresses, this can be a clue to unauthorized traffic. If your CT is sending encrypted packets anywhere, you will want to contact your vendor to determine if this is normal traffic flow.
An experienced engineer with an understanding of medical device workflow can decode the packets and determine if the data being transmitted is valid or may contain malware. This takes advanced knowledge and is normally not done by many hospital network engineers, who are more general in nature.
Leave a Reply