Darlene Storm

Downloading of software updates for lifesaving medical devices proves very dangerous

June 19, 2012 6:14 PM EDT

When it comes to security, one of the scariest things out there sounds like science fiction and pertains to hacking implantable medical devices. Pacemakers and insulin pumps do help save lives, but they are vulnerable to lethal attacks; there are continued warnings that exploiting these medical devices will eventually cost someone their life. Here’s a slightly different take on the scenario; you’ve heard of drive-by-downloads that can infect a machine with malware without the user agreeing to the automatic download, but how about serving up malware in software updates for medical devices such as ventilators?

The global medical technology corporation CareFusion specializes in “reducing medication errors and helping prevent health care-associated infections.” It makes IV pumps, ventilators, respiratory products, automated dispensing of medicine, patient identification systems, has infection surveillance services and more. The company website states, “At CareFusion, we are united in our vision to improve the safety and lower the cost of healthcare for generations to come.” Granted that IT staffs are always overworked and understaffed, but it seems less like “care” and more like negligence to run its website on six year old versions of Windows software.

Viasyshealthcare.com belongs to CareFusion, so imagine going there to update a lifesaving piece of medical equipment like a respirator, specifically "AVEA Ventilator software update." Instead, however, you discover the healthcare site is sick with malware and serving up infections in medical software updates. This was so frustrating to the Medical Device Security Center that University of Massachusetts Amherst professor Kevin Fu wrote, “Health care professionals might as well stop their washing hands while they're at it.” He added, “The risks should be obvious. This is an update for a medical device, and yet one must download it in a manner as if software sepsis is no big deal.”

Google Safe Browsing for viasyshealthcare.com reported, “Of the 354 pages we tested on the site over the past 90 days, 20 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-06-17, and the last time suspicious content was found on this site was on 2012-06-13. Malicious software includes 48 trojan(s), 3 scripting exploit(s).”

Threatpost reported that DHS is investigating and “an analysis by the Department of Homeland Security found that some of CareFusion's Web sites were relying on six year old versions of ASP.NET and Microsoft Internet Information Services (IIS) version 6.0, which was released with Windows Server 2003. Both platforms are highly susceptible to compromise.” DHS “may refer it to its ICS-CERT division, which focuses on threats to critical infrastructure.”

Why would Homeland Security be involved? In April, the feds were pressed to protect wireless medical devices from hackers. By May, Public Intelligence posted the “DHS Wireless Medical Devices/Healthcare Cyberattacks Report.” Just because we can hook all these medical devices to the Internet, does not make it any wiser than connecting other critical and vulnerable infrastructure to the web so it might be hacked. DHS said most medical devices were “not designed to be accessed remotely” yet “the flexibility and scalability of wireless networking makes wireless access a convenient option.” According the report [PDF]:

Because the technology is so new, there may not be an authoritative understanding of how to properly secure it, leaving open the possibilities for exploitation through zero-day vulnerabilities or insecure deployment configurations. In addition, new or robust features, such as custom applications, may also mean an increased amount of third party code development which may create vulnerabilities, if not evaluated properly.

Implantable Medical Devices (IMD): Some medical computing devices are designed to be implanted within the body to collect, store, analyze and then act on large amounts of information. These IMDs have incorporated network communications capabilities to increase their usefulness. Legacy implanted medical devices still in use today were manufactured when security was not yet a priority. Some of these devices have older proprietary operating systems that are not vulnerable to common malware and so are not supported by newer antivirus software. However, many are vulnerable to cyberattacks by a malicious actor who can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant.

Well now . . . while taking advantage of a routine software update in the case of CareFusion may not have led to a lethal cyberattack, could it have opened the way to some equally insidious attack that infects hospitals or open a backdoor to medical devices that are supposed to help save lives? Scrubs and Suits said, “Many IT security experts are concerned that patient care could be compromised by terrorists who want to cause destruction and fear, or even by a particularly aggressive viral infection.” Then the article pointed out that “in July of 2010, Kern Medical Center, a 172-bed hospital in California, was infected by a virus that was so aggressive that it actually shut down the hospital’s EHR system for about two weeks.”

During the Slashdot discussion of CareFusion serving up malware in medical device software updates, an Anonymous Coward wrote, “Hospitals have LARGE amounts of devices that are internet enabled like $300,000 cat scan machines that PDF and email documents and are managed only via IE 6....They almost always use very obsolete platforms with 256 megs of ram, IE 6, etc. The budget analysts folks are under heavy pressure to cut costs and IT is always the cost center at the end of day.”

It’s time for IT to be a priority when it comes to securing healthcare, not dead last on the totem pole, and running totally exploitable systems that allow ventilator software updates to be tainted with malware. Let’s not wait to make security a priority for implantable medical devices either; let’s not wait until after an attacker exploits and remotely assassinates someone through a device that was supposed to save their life.

**Update: CareFusion is very unhappy with this article and says: "We know the Windows virus does not affect any downloadable software and has no effect on our medical devices. It could affect Windows PC files, and we have taken quick action to clean and restore our affected systems."