• Hospitals Breached via Medical Devices?

        Jun 25 2015, 4:18 PM

        by Brian Witten 5

        Many were surprised to read that extremely sophisticated and expensive medical devices, such as X-Ray machines and Blood Gas Analyzers, had been used as a pivot point in more broadly penetrating IT systems in three hospitals.  Even though general vulnerability of networked medical devices has been well known, these are the first documented cases where such devices were used as pivot points for broader lateral attacks into the rest of the hospital. 

        With such exploitation now reported, I’d like to help “peel the onion” on why such obvious problems have been practically impossible to fix for so long.  Surprisingly, the answer has nothing to do with technology.  Many of these systems actually, believe it or not, run well-known software “under the hood,” such as various flavors of Windows and Linux.  Sadly though, these extremely important machines are almost never updated with the latest security patches.  Such risks aren’t a secret in hospitals.  The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more.  In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.

        Of course, any PC in the hospital, just like your laptop, has countless defenses against such malware.  Well-patched machines running effective, up-to-date anti-virus software are well protected against such malware and hacker attacks.   Unfortunately though, for regulatory or policy reasons, hospitals are not allowed to patch medical devices, even medical devices running Windows or other commercial software.  Similarly, hospitals are not allowed to install any additional software on these medical devices, even security software essential for protection.  The original logic stems from good reason.  Medical equipment, including its software, must undergo formal testing and be determined safe for patients.  Changing the software in any way, including patches, or adding software without explicit approval by the manufacturer can change the behavior of the device in ways that could endanger patients.  For such reasons, regulatory restrictions prohibit tampering with medical equipment, even if the tampering is intended to protect the equipment and ultimately protect the patients.

        How big are the risks?   Obviously there is no risk of “banking information” being stolen from an MRI.  However, some of the machines are so vulnerable that they may crash when they experience unexpected behavior.  Chris Eng, VP of Research at Veracode, recently tweeted that an MRI machine crashed when simply scanned for vulnerabilities, or other researchers have reported that a simple SNMP inquiry could “tip over” medical equipment. Of course, not all medical devices are that sensitive, but none of these devices should be so vulnerable.  When a device becomes infected, either as an entry-point, pivot-point, or just as part of a broader infection, we need to be concerned about the potential consequences. Critical system controls may get altered and could result, for example, in an excessive radiation dose from a CT scanner.  Vulnerabilities found in insulin pumps have been shown to be outright lethal.

        Another concerning scenario would be that of a targeted attack on a medical device, for example to harm a specific patient or the reputation of a hospital. Although no such cases have been documented or reported to date, security researchers have demonstrated risks for Pacemakers (Kevin Fu), Insulin Pumps (Jerome Radcliffe) and Infusion Pumps (Billy Rios), the latter resulting in an advisory from Homeland Security’s ICS-CERT and a patient safety communication from the FDA.

        What is being done?  In 2014, the FDA issued guidance to medical equipment makers regarding cybersecurity for the medical devices that they make and sell.  I’m sure we’ll see further guidance, and potentially even enforcement, in years to come.  Device makers need to design in the cybersecurity as well as capability to update devices “in the field,” and need to work with regulators on a process whereby it is easier for such updates to be provided to their customers.  At the same time, hospitals are working on their processes to build a more secure medical device infrastructure.

        Could such a strategy work?  Will it?  Do you like the approach, or does it worry you?  Either way, I’d love to hear your thoughts.  Feel free to email us anytime at and visit us online at

        For more reading:

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • IoT
        • healthcare IT
        • Security Community Blog
        • Managed PKI for SSL
      • New Rules: Feds Mandate HTTPS on U.S. Government Sites

        Jun 18 2015, 3:35 AM

        by Tiphany Zellers 1

        Have you read the news lately? It seems like hardly a week can go by without another data breach happening.

        In the past few years, cybercriminals have upped their game considerably, using incredibly sophisticated attacks in growing number. Out of every six large companies, five were targeted last year for attack—that’s a 40% increase over 2013.*

        The recent breach on federal employees’ private data, allegedly from China, only underscores the continued looming menace cybercriminals present—and this threat hasn’t gone unnoticed by the feds.

        In a January 12 post on the White House Blog, President Obama is quoted as saying: “This is a direct threat to the economic security of American families, and we've got to stop it.” Further adding, "If we're going to be connected, then we need to be protected."  So true! And that line of thinking is what prompted the U.S. government’s latest move.

        To help combat these attacks, the White House has mandated that all public-facing Web sites of the federal government must implement HTTPS within the next two years.

        This is no minor security update. It carries far-reaching implications that extend beyond the fed. Here’s what we mean.

        What HTTPS Offers to Everyone

        HTTPS provides a secure line of communication over the Internet, combining the usual HTTP (Hypertext Transfer Protocol) that you see in the address bar of unsecure sites, with SSL (Secure Sockets Layer) that you’re likely to see on most sites involving financial transactions.    

        This federal move shouldn’t come as a surprise, as the majority of the U.S. government sites have already made the switch to the secure protocol. This includes, which made the switch on March 11, 2015, to other federal sites that made the jump earlier, like,, and others.

        This goes beyond the initial site communication handshake—drilling down to subdomains, like, too.

        Up until now, many government sites are current with NIST-recommended SSL standards, but the administration has now moved to make prioritizing security and privacy a common practice among all aspects of federal government sites.

        Make no mistake about it, this is huge!

        These extra security measures follow the Always On SSL tenets advocated by the Online Trust Alliance, exhibiting some of the strongest moves yet to protect the identity and personal information of U.S. citizens online.

        Others Must Follow, Strengthening the Security of the Web

        Cybercrime isn’t going to easily back down.

        Now, it’s far too easy to compromise private information on sites with subpar security. Today’s cybercriminals are smart and tenacious. By protecting all aspects of a site with SSL—not just transaction pages—businesses can help quell social engineering techniques. These complex ruses can now fool even the savviest netizens into handing over their private information to the bad guys.   

        Nothing is 100% unhackable now and forever. But just like locking your car doors when you’re out, providing as much security as possible is still a good great idea! By expanding the coverage of SSL, we help further the strength and backbone of the Internet itself.

        *2015 Internet Security Threat Report, Volume 20


        • Products
        • website security solutions
        • DigiCert Code Signing
        • Products and Solutions
        • Symantec Website Security