The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, ICS-CERT, just published a medical device security advisory for products from Silex Technology and GE Healthcare.
These products are the mainstay of EKG monitoring in healthcare systems today. They may also be used in equipment for remote or at-home monitoring.
Researchers have published proof of concept code for two reported vulnerabilities:
- Improper authentication – CVE-2018-6020; and
- OS command injection – CVE-2018-6021
ICS-CERT reports a low-skill level attacker using publicly available exploits can remotely exploit the vulnerabilities to send operating system commands to these devices, to modify system settings and execute remote code.
These vulnerabilities are built into a number of in-use EKG machines and wireless bridges for EKG monitoring. If you can get on the same network as one of these devices, you can inject commands to run on the operating system, which means (in theory) you can manipulate the medical device and what it reports with relative ease.
It’s not hard to picture an action movie type scenario where an assassin hacks an EKG to fake a normal heart rhythm and then moves in to kill the target. Fortunately, a new firmware version is scheduled to be released soon that mitigates the vulnerability.
Growing IoT Risks in Healthcare
The more we integrate IoT devices into the medical field, the greater the risk. Losing data to hackers is bad, but creating situations where a hacker halfway around the world can manipulate somebody’s medical monitoring using a publicly available exploit is a whole different ballgame.
In my opinion, it can’t be stressed often enough… we need to get ahead of the growing risk posed by internet-connected healthcare technology.
To speak with an expert about your security concerns and questions, contact Pivot Point Security.