The Growing Importance of Interoperability and Third-Party Component Security | Ep. 14 - Full Transcript | The Med Device Cyber Podcast

Hi, welcome back to the Med Device Cyber Podcast. I'm your host Christian Espinosa. I'm here with our co-host Trevor Slatterie, and today we're talking about an important topic: interoperability and some of the cybersecurity risks associated with it. Any medical device is going to be deployed on a healthcare delivery organization environment, and it often has to interoperate—it's a challenging word—be interoperable with other systems on that environment. Anytime you connect one device to another, across a network, wirelessly, or via Bluetooth, that introduces more cybersecurity risk. So, we're going to go over that today and some of the considerations a manufacturer, as well as a healthcare delivery organization or an HDO, should consider. Now, interoperability depends on the device. A blanket problem that can be present in a lot of devices, and that newer penetration testers won't be as experienced with, and a lot of cybersecurity professionals may not even be very familiar with, is the concept of a second-order attack. What we're really saying when we say a second-order attack is that you exploit a vulnerability in one system that compromises another system. So, you don't directly see the impact, but you're feeding in bad input or bad data into somewhere else, and then that triggers a problem. For example, if I can exploit a PACS system that has DICOM files on it and modify those DICOM files, but those are ingested by a medical device, then we could infect that device with these infected DICOM files. Or, if I was able to somehow compromise this mouse and I made it send different Bluetooth signals instead of just operating the mouse like normal, it controlled input to do certain bad things on my computer. While I technically hacked into the mouse, I compromised my computer. That would be another example of a second-order attack. I think that can be a pretty big and prolific problem with medical devices. The main reason being that even if the device itself is secure, so there isn't a problem that you can necessarily exploit in the device itself, a lot of components in a hospital might not be secure. A lot of components may not even be at the front of someone's mind for security, like a printer for example. I know every penetration tester has their war stories about hacking into printers in hospital networks. Every time I've been on a hospital penetration test, my first way in has been through a printer. So, if you have a medical device with a problem, you can potentially exploit that problem in a second component like a printer, an EMR system, or a workstation. I think that's a big concern with interoperability. What I'm describing is a two-way street. You said a second-order attack from the perspective of somebody attacking the printer and then leveraging that to attack the medical device, or somebody attacking the EMR and that attacking the medical device. But it's also the other way around, right? Somebody can attack the medical device, and then that can attack the EMR or the PACS system or any other system on the hospital environment. It goes both directions. I'm sure a third-order attack is possible; it gets down to the complexity of a system. Once you get to a third stop, you can get pretty far removed from the first device that you're attacking. For instance, going from my mouse to my router, which is really far detached, might have some transitive component that you can jump through. I'm sure it is possible and very difficult to pull off, but it would be a pretty edge-case scenario. When I did DoD stuff, the enemy would go from like one country to another country to another country. So, maybe go from Russia to a system in Korea that you've compromised, to a system in Malta, to a system in Finland, and then to the US. It's hard to trace that attack back to the source because it's being bounced through all these systems you've compromised. So, it definitely covers the tracks in that scenario, which would be more of a third or fifth order attack, tunneling through all these compromised systems. I think we are increasing the number of devices that are interoperable from a medical device perspective. So much in a hospital environment or just in a healthcare organization is connected now. Everything hooks up to the internet in some way, or there's some connection between two components, or there's a hub for data transfer in one way or another. Everything plugs into an EMR system. I think that's a great thing. Of course, it introduces challenges from a security perspective, but from an operational perspective, it lets everyone have very easy access to information. It lets data transfers happen near instantly now, where before it took a long time, having to deal with faxes and passing around physical paper documents. So, data transfer is extremely fast; it can go very wide, very far, and spread out, covering a lot of ground really quickly. I think that's really helpful, especially in healthcare, where stuff can be time-sensitive.