The medical devices in hospitals may not be the most common threat vector for a cyber breach – but the patient safety ramifications of one vulnerability could be significant.

Back in 2015, it was demonstrated at the BlackBerry Security Summit that infiltrating an infusion pump can give a hacker the ability to administer a lethal dose of morphine.

But a recent whitepaper released by health IT firm The AbedGraham Group and cyber security specialist NCC Group sheds light on how one specific vulnerability could leave patients in hospitals open to harm.

“With the increased level of medical device connectivity to mission-critical systems, it is reasonable for healthcare organisations to be concerned that compromise of these devices can have a more substantial and scalable impact, potentially affecting clinical delivery and the safety of patients at scale,” the report said.

“Bad actors have a wide range of options when choosing which assets to compromise with varying results given their level of preparedness, the complexity of attack, and degree of disruption they wish to cause.”

The report explained how a critical vulnerability present on a BIG-IP Load Balancer made by F5 Networks disclosed on July 1 2020 could give unauthorised access to a network.

From a minor delay to a patient awaiting care to an organisation forced to divert a large volume of patients to external healthcare providers, NS Medical Devices looks at the two case studies identified by researchers and how they could cause patient harm.

 

The metrics of risk related to cyber vulnerability in hospitals

The AbedGraham Group and NCC Group broke the potential risk of a cyber breach in a medical setting into four main categories:

  • Clinical Risk pertains to the potential severity of patient harm that could occur
  • Organisational Risk pertains to the level of clinical workflow disruption or service shut down that could occur
  • Financial Risk pertains to the potential level of recovery and regulatory costs, as well as revenue losses that could occur
  • Regulatory Risk pertains to the severity of intervention from regulators following disruption and degree of reputational damage

High risk of delayed care

If breached, the F5 BIG-IP Load Balancer – which directs inbound traffic for a web application hosted across several severs – would allow unauthenticated users to read and write files, execute commands and disable services, as well as giving them the ability to spread throughout the network of connected devices.

Although the potential risk of clinical harm was at a medium level, rated by the researchers at 6/12 due to the potential for hackers to move to mission-critical devices through the network, the organisational disruption that could lead to delayed care was rated higher at 8/12.

“In this case, the largest degree of disruption to the organisation would likely be to the administrative workflows and communication between the hospital and community, should web traffic from the organisation’s website be compromised,” The report said.

“This may result in a delay in a certain cohort of patients making it into the hospital setting and receiving timely care.

“Moderate financial and regulatory risks would be likely due to delays in these patients being transferred to the hospital, potential re-scheduling of appointments and other associated revenue and remediation costs.”

A vulnerable electronic health record system

In the second case study, the report outlines a more severe scenario, in which the electronic health record system of a healthcare provider is connected to the F5 BIG-IP Load Balancer, giving a hacker access to protected medical information.

This access could also lead to the potential of delays in clinical information gathering and decision making, which could have clinical consequences, hence the researchers giving this threat vector an 9/12 for clinical risk.

Due to the decreased productivity across the entire estate (applicable to most clinical and administrative settings), the researchers also believe this would have knock on effects that would be associated with relatively higher risks in the other financial (8/12) and regulatory (8/12) categories. 

“The key issue associated with compromise of this asset with such a high scoring vulnerability is the resulting decrease in clinical productivity, resulting from a delay rather than cessation of service provision,” the report said.

“As the asset is connected to a key mission-critical application that supports both clinical and administrative workflow at scale, the extent of disruption and risk of spread is of higher concern.

“Compared to use case one, this would impact a wider range of activities across inpatient, outpatient and community related settings.”

Although traditional concerns have been focused primarily on the risks associated with individual medical devices like the infusion pump in Blackberry’s 2015 demonstration – the report from The AbedGraham Group and NCC Group shows that the impacts related to network infrastructure should not be overlooked.