- May 08, 2015
- Info notes
Life support systems in hospitals are more and more connected to some kind of network. They are also often vulnerable to basic attacks. A very short attack chain could have life threatening effects. This paper describes such an attack chain, and gives mitigation recommendations for manufacturers, integrators, and systems administrators.
Hospitals use more and more often specialised pumps to dispense potentially dangerous drugs like heavy painkillers. These pumps allow the patient to request a stronger dose, while also preventing overdoses. Such a pump can be reached using a telnet client without providing credentials. The user can then manipulate all parameters of the pump, including maximum dosage. Fiddling with these settings can have life-threatening consequences. The reason why these devices are networked is one of convenience: hospital staff can parameter all the pumps in a unit – or even a whole hospital – from one single computer, instead of having to go from room to room and using buttons on each pump. This computerised procedure is time saving, and it can be argued that it is less error-prone and thus safer.
Hospitals are by definition fairly open places. Visitors can roam free in a significant part of the premises. The sight of a computer in a patient's room is common place now, with internet access being available in every room. An attacker can thus easily connect a laptop to the network, scan for vulnerable pumps, and exploit them. The attack chain can literally become a Kill Chain. It's not just morphine pumps that are vulnerable. A study conducted one year ago showed that many pieces of equipment found in hospitals could be exploited. With a bit more effort, attackers could gain access from abroad by exploiting common vulnerabilities.
Hospitals are just the tip of the iceberg. Project SHINE searched for industrial systems exposed to the internet. The project found more than 180000 "lightly configured" systems, made by 207 manufacturers, ranging from HVAC to SCADA systems.
Manufacturers of life support devices bear the responsibility of making sure that they do not endanger patients' life. If including networking in a device brings significant benefits:
- Ensure that the device is free from common vulnerabilities and access is restricted to authenticated users;
- Adopt secure development practices, and implement a Secure Development Lifecycle.;
- Document how to secure and operate their equipment.
Hospital equipment is often installed by integrators rather than by the manufacturer. Integrators have the responsibility to install equipment in a secure way, closing the doors necessary for easy installation:
- Change default passwords;
- If possible, restrict IP addresses that can access the device;
- Train local systems administrators and users in the secure use of the device.
For Network and Systems Administrators
Network and Systems Administrators in a hospital have to balance ease of use by medical personnel, and the security and safety of the patients. This is easiest done at the design level:
- Put life support devices on a separate, firewalled, LAN
- Prevent internet access from the workstations used to configure the devices
- If that is not possible, restrict web access for these workstations, e.g. through the use of a filtering proxy
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).