The Hacker Mind Podcast: Hacking Healthcare Systems

Are we doing enough to secure our health delivery organizations? Given the rise of ransomware attacks, one could day we are not. Karl Sigler from Trustwave SpiderLabs, talks about a new report that his team has written that is focused on the threat landscape for medical devices and the healthcare industry in general.  

‍

The Hacker Mind is available on all podcast platforms.

[Heads Up: This transcription was autogenerated, so there may be errors.]

‍

VAMOSI: Late in 2022,  US President Joe Biden signed an omnibus spending bill that included within it the Protecting and Transforming Cyber Health Care Act of 2022, better known as the PATCH Act. What this Act does, among other things, is codify into law the basic cybersecurity necessary throughout the lifetime of the medical device. You would think that would be a given, but it has not been the case.

‍

In the United States, we have had the Health Insurance Portability and Accountability Act, better known as HIPAA, since 1996.  It doesn’t really cover tech; it allows you to protect and move your health information from one insurance carrier to another. Since the US doesn’t have national healthcare, HIPAA was designed so that patients could receive continuing care as they change plans, doctors, even employers. It did not define the security of the medical devices used.

‍

The tech, then, came in part in another piece of legislation, the Health Information Technology for Economic and Clinical Health or HITECH Act of 2009. It was designed for the technology that would digitize health records in the US to help with HIPAA. It began to define some criteria that electronic medical records and the devices used before receiving FDA approval. Unfortunately, like HIPAA before it, HITECH was also inadequate and also misunderstood in the health delivery organizations. It really didn’t extend beyond the accounting systems. For example, what about medical devices themselves?

‍

In general,  within healthcare, there has been a lot of confusion around updating medical devices to the latest software version -- even if a vulnerability has been identified. After all, once a device had been certified for use by the FDA, it was assumed that the certified device should not be updated. Ever. 

‍

Think about that. When you have a one million dollar MRI sitting in the next room, you don’t want to change anything lest it stop working. That thinking is clearly wrong, yet that is why you still see devices operating with Windows 7 in some health delivery organizations today. And that is not good. Microsoft stopped supporting Windows 7 in April 2013. That means any new vulnerabilities found in Windows 7 have not been patched by the software vendor. That means there are vulnerable medical devices out in the world, all because of a misunderstanding of the previous law.

‍

Starting October 1, 2023, new medical devices offered for FDA certification will need to conform to new practices, including liability for software in the device. And the timing couldn’t be better. 

‍

At the end of 2022, over the holiday season, ransomware struck a pedantic center in the heart of Toronto, crippling their communications systems. I mean come’on, who targets a hospital full of kids over Christmas?:

‍

CBC:

‍

But here, the ransomware operators saw the news and quickly reversed itself, saying a franchisee had attacked the hospital in violation of its terms. Apparently, even the bad actors have some ethics.

‍

CBC: 

‍

Unfortunately that truce is no longer. Ransomware against hospitals is again on the rise and my next guest will talk about all of this. I hope you stick around.

‍

[music]

‍

Welcome to the hacker mind, an original podcast from the makers of Mayhem Security. It’s about challenging our expectations about people who hack for a living. I’m Robert Vamosi and in this episode I’m discussing the rise in attacks against health delivery organizations and medical devices and what IT departments can do to defend themselves.

‍

[music]

‍

VAMOSI: Perhaps we don’t think of healthcare as having a lot of cybersecurity issues. And perhaps they don’t. But in recent years we’ve seen a rise in ransomware. And it’s targeted the health delivery organizations that are out there. Why? Because there’s no escaping ransomware. 

‍

SIGLER: So my name is Karl Sigler. I'm a senior security Resource Manager at Trustwave Spider Labs.

‍

VAMOSI: Trustwave is a cybersecurity company. Karl works for one of Trustwave’s divisions.

‍

SIGLER: Trustwave Spider Labs is a sure place security services organization. We primarily provide managed services to customers who maybe don't have the resources in house to run their own IT team or security team or maybe they want to enhance what they currently have. So we mainly manage security services. My side of the house on spider Labs is pure research. following trends monitoring the underground we handle the responsible disclosure process here. So when our researchers find vulnerabilities, it's my team that reports them to the vendors and makes sure there's a patch in place. So I'm on the research side of the house and that research into trends, emerging threats, etc. Go directly into our Managed Services team.

‍

VAMOSI: Karl and his team have been working on a new report, this one focused on healthcare. 

‍

SIGLER: We've been getting requests from our customers for something that is more specific, pre pandemic. It's a dividing line these days. We had a global security report that was released yearly, it would basically package up the previous year's trends. A lot of security organizations do this. It's still common practice. We've had really high just diminishing returns. So based on the investment of time that we put into it, and the value that we think it provided our customers and the community in general, just really wasn't worth it. We wanted to do something that was a little bit more fine tuned, more agile and more specific than those general broad brush reports. So we're focusing on quarterly threat reports instead of yearly reports, and we've been focusing on very specific topics, starting with this healthcare report, and then moving forward we're gonna be doing a lot of industry vertical reports, things that are specific to what we've seen for specific industries that we work with as customers and this one coming out is the healthcare one.

‍

VAMOSI: I want to dive into the ransomware certainly, you know, going back to like wanna cry, which seemed like that was an accident, hitting healthcare. Here’s the BBC NEws interviewing then Home Secretary Amber Rudd.

‍

BBC NEWS:  ANCHOR: Can you give us the figures as you understand this stage about how many hospitals. How many trusts are affected?

‍

RUDD: Well we understand that 45 have been affected out of several hundred and most of them are being very cautious about this some of them are making changes some of them aren’t some of them are managing to carry on with their daily work despite these difficulties but can I also just point out that this this particular attack this cyberattack hasn’t been particularly focused on the NHS it’s been a worldwide attack it’s affected a hundred countries different organizations but it’s just in the UK that’s been particularly impacted on our NHS

‍

VAMOSI: Since there, however, we've seen a target on healthcare, and I'm wondering what research you have around that supports that?

‍

SIGLER: Yeah, I mean, I think that's probably during the pandemic. We were definitely looking for a lot of uptick in trends, right. We really expected to see a lot of compromises and a lot of threat actors acting in the healthcare space. And that actually wasn't quite true. We actually saw a lot of ransomware groups that when they discovered that they had attacked, or one of their affiliates had attacked a healthcare organization or a hospital a lot of times they're basically affiliated. Ransomware keys were provided in some cases. And that's changed quite a bit. Now. They are actively pursuing healthcare organizations, for a variety of reasons, but we've seen that change dramatically. Again, like probably about two years ago. These organizations were handing over keys to ransomware that just this past year, group of ransomware ransomware group threatened to release the pictures of breast cancer patients that they had hacked from a healthcare organization just to up the stakes right off the overall stakes that that healthcare agency or organization was facing, and we're gonna see a lot more of that P Hi, rather than PII. So, personal health care information. It's a it's a commodity these days and a lot of people are wanting to add to the underground for again, a variety of different reasons.

‍

VAMOSI: So with ransomware, it can be a two pronged attack were the first one is it denies you the data by encrypting it and the second it might exfiltrate and then try to extort you with the release of that information. Is that correct?

‍

SIGLER: That's, that's exactly correct. And they've only added that second sort of stage relatively recently. It used to be that just locking down your primary information, your most valuable databases, your customer databases, your employee databases, that would be enough to compel organizations to pay the ransom. These days, organizations are getting a lot better protecting themselves against ransomware you know, good backups, segmented backups, so you can restore data if it does get encrypted and they sort of adding a second stage just to you know, hedge their bets and make sure that even if the ransomware itself wasn't compelling enough, the idea that they exfiltrated important information that is going to ruin your reputation and possibly open you up to legal concerns. That will compel organizations into paying the ransom. So that two pronged approach. It's been profitable for these threat actors. So I expect to see more of it in the coming years.

‍

VAMOSI: So the report states, roughly 24% of all ransomware in 2022 I'm surprised we've gone from during COVID not attacking and almost apologizing when it happens to now just give me the money.

‍

SIGLER: Yeah, Nobody says that. You know, threat actors had a lot of morals or ethics and maybe that was just a little goodhearted move for six or seven months there. And now they're back at the money they're back into the money game. It's unfortunate, but I think we'll see an increasing trend that way. I think the only thing really helps prevent that are organizations that have good best practices in place, proper segmentation and access controls that will prevent exfiltration of data, or at least you'll get audited. You'll have auditing in place and be notified when confidential data is being exfiltrated. So just being able to stop the exfiltration process, maybe it will stop at the second stage of these attacks. But again, it's difficult and these organizations tend to be very, very large. And what we used to consider just the hard perimeter is now very desperate and disparate and across a lot of different geographies and homes and you name it, it's all over the place.

‍

[MUSIC]

‍

VAMOSI: So I've had this conversation with a few people. I'm wondering where you fall in this are hospitals a flat organization, are they still early, segmented?

‍

SIGLER: They're heavily segmented. Just internally for their organization. They're segmented, where they probably shouldn't be. You have independent individual silos of teams that don't necessarily communicate properly with each other. And that is not properly siloed or segmented, where they shouldn't be. For instance, it often gets put in charge of security as well. And that's never a good idea. The IT teams and security teams should be separate because they have different goals. You know, your IT admins, they want to make sure that availability is their primary concern. You want to make sure the network's available. You wanna make sure your services are available. Your email is available when you log in in the morning. Security professionals have a different view of things. And when you mix those two jobs up, you end up with IT people that will delay security concerns because it may affect the availability of the services they're currently offering. You got to put the conflict there. And then in other situations, you have people that are in charge of, say, hardware devices on the network, maybe monitoring devices, medical devices, etc. And that may be an entirely different team and the team that manages the network switches and the servers and the internal infrastructure. And if those two teams don't talk to each other, and especially work in parallel to prioritize their security concerns, there's going to be chinks in the armor.

‍

VAMOSI: Given that you said it's segmented and that they're segmented backups are do you have any evidence on which parts of the hospital may be targeted more than others?

‍

SIGLER: That's hard to say. I'm not sure that I think once they started to target a healthcare organization either directly you know that they're doing the recon, they decided that this healthcare Canvas is exactly what they want. At that point. Once they decided on the targets, I think they'd become much more opportunistic. They look to the holes that are going to be the biggest gaps in the network, the ways that they're gonna be able to get that foothold into the network. And then from there, they'll start probing around for valuable data. They're always after PHR. They're gonna be looking for database systems. They're going to be looking for medical imaging systems. And whatever access they have for that, they'll try to probably exfiltrate and or encrypt the data at that point in time. So I think that the initial target right doesn't necessarily specify what the compromise is going to be. The compromise is almost always going to be opportunistic, often, typically through phishing or spear phishing attacks. And then once they get that foothold, they're going to start to specifically explore and probe the network. And again, they're looking for those big databases, and then anything internal to controlling the network. So they can maintain persistence, right? So active directory systems, hitting network credentials for routers, and the like. These are all goals. And there will be reconnaissance and attempts to exploit each of those areas and probably every single compromise unless they have very, very specific goals in a case.

‍

VAMOSI: So with these ransomware groups, are there any that are focused specifically on healthcare?

‍

SIGLER: That's a good question. I think we've seen some of them. focus a little bit on health care specifically, I'm thinking of, I mean, clop was all over the place with move it but they, you know, they were targeting a lot of big organizations with that health care was definitely one of them. verticals, the other ransomware groups, it depends, it depends really, I think that none of them wants to focus on any one specific industry directly. But I think healthcare is just become so such a tantalizing target, because of the wealth and the value of the information there and the complexity of the networks and when you have the complexity of those networks, you just have you're going to find chinks in the armor you're going to find ways in. So I think we're seeing an uptick in healthcare attacks recently. You know, the good heartedness of the pandemic has worn off the realization that there's a lot of money to be had grabbing information there, whether it's directly from the hospital by extorting them or selling that information or both. Yeah, I don't think any one organization is specifically targeting healthcare organizations, I think all of them are realizing that it's a very valuable target to hit. And if you're successful at it, the returns are going to be putting acid

‍

VAMOSI: some of these are kind of still collateral. There's supply chain attacks such as Move it

‍

SIGLER: Yeah, and, and move it, you know, move it, I wouldn't necessarily consider a supply chain attack like SolarWinds necessarily. It was a vulnerability that was discovered by Bob. So it's more of a zero day vulnerability attack that was discovered, but we still have to be concerned about all of this right? We are more than ever before. I think that every organization works with third parties with software vendors, with so many different participants, that you know, things get lost in the cracks. When you have complexity, complexity is the enemy of security. So in these cases, you know, we have these situations where you're getting hardware devices from various companies and even trustworthy companies are getting affected. SolarWinds is the big name in network monitoring, and they were affected by this. Move it honestly I've never even heard of move it until the zero day came out. And then I saw how many organizations were using that software. Obviously that was going to be a big target and a lot of these small threat actors, they've discovered that. You know, they don't necessarily have to target the 800 pound gorilla in the room, you know that they can target the small person delivering the bananas every day. They still got it right. So they're going to go after the smaller actors, they're going to go through those suppliers. And whether it's a, you know, some sloppy coding or you know, some missed code that provided a vulnerability that could be discovered, but whether they're actually able to infiltrate the organization directly, as was the case of solar winds and distribute out an hour's update. You know, when we trust those vendors so heavily, we have to do the security due diligence to make sure they're doing their best to lock things down. So things are out of our control. People trust SolarWinds I trust SolarWinds you know, governments trust SolarWinds and the fact that they were specifically breached the way they were those horrible events that are really not easy to combat or prevent from happening. But all that way, you know, when I compare these days healthcare is considered basically critical infrastructure. And when you compare healthcare organizations to say, utility organizations, water purification plants, these SCADA ot networks that we talked about. Hospitals are still a lot easier to break into than an electric grid Organ Company. Typically, for the reason that the software that the hospitals are using are all uniform and the same across the board. They're all getting their same medical devices from the same manufacturer; they're probably getting core software from Microsoft. They're getting all of these, you know, it's not very, as complex as let them be parsed there, but it's not really unique. In the case of a lot of SCADA installations, you're gonna find a unique installation at every single plant you go to, you know, there's no one. I develop this compromise and it's going to work across all of these electric companies. It's almost built in tolerance that way that I just don't see in hospital organizations. Typically with hospital organizations, the complexity and the uniqueness is really just chaos and insecurity and attacks thrive in chaos.

‍

[MUSIC]

‍

VAMOSI: Right and you touched upon hardware. A lot of the health care organizations share the same pieces of hardware because it's the only medical imaging device that's available for that particular niche. And then when there's a software breach, and that that becomes an entree point for the bad actors to get into the organization. I think your report called out something with the Canon medical imaging system and you know, the CVE that was attached with that.

‍

SIGLER: Yeah, that was a DICOM server. One of our researchers found a vulnerability in it was a cross cross site scripting vulnerability. It's generally considered relatively minor, but as a cross site scripting vulnerability in the administrative console, that web front end, and if you know how to work a cross site scripting vulnerability, well, you can get them to do pretty much whatever you want. So the fact that it was in the administrative console, and really all you have to do is compel and admin, just a little bit of reconnaissance, go to LinkedIn, find out who their head of, you know, medical imaging is, send them a custom email that gets them to open a URL, that URL will automatically perform some action in the administrative interface that will typically start exfiltrating data. They have persistence and a backdoor. And, you know, these DICOM servers tend to be publicly exposed as well. So that standard is available specifically for exchanging medical imaging information, you know, MRIs. You know, and the like. So, yeah, we were focusing on DICOM a bit. We found that vulnerability there. That kind of trio was really great at working with us. And patching is something that sometimes we don't see from defenders, we're working with them from a responsible disclosure process, but they're really good to work with and I'm definitely seeing a lot more of these manufacturers taking these things seriously. Now when we look back, God probably likes 2015 2016. There was always one ability in infusion pumps, insulin pumps, IV pumps and the like. 

‍

20:21 VAMOSI: In 2011, I was at Black Hat when Jay Radcliff presented his research on his own insulin pump. 

‍

RADCLIFF:   I have a five-year-old son comes up to me he says which work and I dad I said well I'm working on a presentation about my little medical device because he knows that I have an insulin pump and it gives me medicine all the time and I said I want to show that bad people can't do things to dad with that medical device and he goes you mean bad people like dr. doofenshmirtz I said well I wouldn't to be too worried about him but yeah so that my son went on and on about creating this inator and he was gonna come after me and he was going to render me dead and that's pretty much what we're gonna talk about today is the feasibility of this and at the end I'm gonna be doing a demonstration that shows that I can turn off insulin pumps remotely or the particular insulin pump remotely 

‍

VAMOSI: What Jay and others, such as Barnaby Jack found was that insulin pumps were basically wide open to attack, mostly through internet connectivity. Shortly before his death, Barnaby had announced he’d been able to mess with someone’s insulin pump from across a room. Here’s Barnaby on Bloomberg TV.

‍

JACK: I picked insulin pumps mostly just because of the ease of actually acquiring them we’re planning I’m looking at pacemakers and various other implantable devices but unfortunately it’s it’s it’s a little tough to just be able to pick up a pacemaker on the street

‍

REPORTER: So, Barnaby, take me through how this all works

‍

JACK: Ok so there’s actually a vulnerability in these devices typically to be able to communicate 

with them you don’t need to know the serial number I have a vulnerability which will let me acquire the serial number from any of these insulin pumps within an eight hundred meter range.

‍

VAMOSI: Whoa. 800 meters. That’s far. Someone in a crowd of people could have their pump jacked and they would have no idea who was responsible. Here the design was for convenience -- accessibility to monitor the pumps over the internet -- and not the underlying security or authentication of that communications. 

‍

SIGLER: Those systems just had an authenticated telnet open to them. They're exchanging data with an authenticated FTP. That's just clear text data going across the wire. But when that was reported that was not reported up to them going on eight years now. They declined that it was a vulnerability. They said that, you know, this basic best practices would avoid all of this. It didn't give the researchers even access to the back end to replicate or verify the situation. These days, these organizations are really buckling down. I think with a lot of compliance laws. You know, the fact that we have the fact that we have a lot of these health care compliance laws forced these organizations to sort of buckle down because these hospitals aren't going to be held accountable. They're going to be holding the bill at the end. If it was some hardware manufacturer that caused the compromise, they're going to let that liability trickle right downhill. So I'm seeing a lot of these vendors start to take the situation a lot more seriously. And we're seeing better responses from them. Overall, I think that the industry as a whole is maturing quite a bit. Still have a long way to go.

‍

VAMOSI: It's maturing, but there's still like the patch Act, which passed at the end of last year which is now conferring on to the manufacturer, the liability and the responsibility for updating the equipment and keeping it even after what they would consider end of life.

‍

SIGLER: Yep. And, and this is, this is certainly these are the types of tricks that some vendors play, you know, they'll say, Yeah, I'm not gonna patch it. It's just the end of life. We don't support that version anymore. There are a lot of devices that we're still using Windows XP as the base operating system, even after Microsoft was no longer providing patches for Windows XP and all of the vulnerabilities that have been discovered in the Windows platform since then. So yeah, a lot of these, you know, these new regulations and laws that are coming out are in specific response to how vendors sometimes play these games to avoid the responsibility of patching their things. And it's a hard job on that side as well. I mean, these, you know, infusion pumps, these IV pumps that may be vulnerable. They're not generally directly connected. To the internet. It's not like your home router, where you know, when that gear has a new update, it just pushes it down to all of the routers and you're just patched whether you know it or not, there's no automatic patching of this. 

‍

VAMOSI: Have you noticed a shift and I'm not sure how long you've been looking at healthcare in particular but in going from networking among themselves to networking to the internet in terms of exploitations and so forth?

‍

SIGLER: Oh, absolutely. Absolutely. You know, it was rare back in the day that you would see any of these hospitals connected up to the internet at all. And then they might have one or two terminals where you know, it'd be good if we could do a little bit of research. Maybe a Google search. And then that just went too well, you know, I just have my phone out then and access the internet that way and it's still connected to the Wi Fi. And then you have work from home. You have a lot of people, maybe administration staff that's going to be working from home. They're going to have to have internet access to continue to do that. Work, and they're gonna have to connect up to systems in the hospital network over the internet. And then, you know, the people that are pushing those new policies out, maybe they don't realize that you should be having a VPN as well. Just getting access alone was a hard enough problem trying to teach all of your users how to use VPNs. Oh, then you want to use two factor authentication with that as well. I mean, the problems can sometimes seem insurmountable, and that's where we end up with these security holes. So the probably the past decade, hospitals have been getting online, and in more ways, more and more often to the point where you know, they've got 1000s of connections in and out and all kinds of avenues of getting in and out. Whether it's just with a portable device, whether it's with direct access, whether it's with a misconfigured firewall or subsistence reluctantly outside of it. All kinds of things that could occur.

‍

VAMOSI: And then the devices themselves are connecting to the internet. And so when can mount up shoden And take a gander at how many people are using the Siemens device? You know, that it's exposed and not really hardened?

‍

SIGLER: Exactly. Yeah. And a lot of these medical devices are specifically directly connected to the internet for remote monitoring and remote care. You know, if you're having an issue, do you really want to be, you know, waiting for your doctor to move on with some other hospitals to come to you? The ease and efficiency of technology makes things a lot easier. It just does and that can have an overall health benefit in general. That said ahead. If we are getting this efficiency, and we're getting this ease, and we're getting this additional health benefit without working on the security element there. We're not doing anybody a service. You know, we're going to put people at risk at that point. You know, we've seen with pacemakers, right so there's some pacemakers where just by accessing the back end, administrative system, you could actually modify how this pacemakers were working. And that backend system was how doctors monitor their patients, pacemakers, a good thing. But again, we're seeing these new features being pushed out, remote monitoring without necessarily the important security controls being put in place, code signing encryption in place encryption, and transit, all the things that we talked about.

‍

{Music]

‍

VAMOSI: So we've talked about the devices. We've talked about the software, but what can a healthcare organization do that seems insurmountable given all the moving parts and pieces that are making up the problem?

‍

SIGLER: And it can be a very difficult problem, which is why, you know, a lot of generic advice is just that generic, and a lot of people will just say, Okay, well, it doesn't really apply to us. You have to start someplace. Right. I think that probably just deciding that security is an issue or maybe finding the security board that you've already set up a couple of years ago because you decided security was an issue. Make sure that that security program is healthy, that people are participating in it, and that it has plans. You know, all the basic Best Practices still stand to find out what your inventory is, what are on your networks. After that, you can decide what of that inventory is most valuable to you, and start working at risk reduction from the top down for the most valued systems to the lowest systems. But if you don't know what your inventory is on your network, you don't know what devices are there. How many infusion pumps you have, how many pacemakers connected to your administrative console. You don't even know where to start. So I always recommend that organizations start with a good process for figuring out what your current inventory is, and a process that's formalized to keep on going. Thumb on what the inventory continues to be because networks are dynamic, they're never stolen. From there. You can pretty much start to carve what your threat posture looks like once you know what you have what data you are storing, what's most valuable to you, what would be most valuable for attackers targeting you, then you can start putting security controls in place.

‍

VAMOSI: So this might be anecdotal or opinion, but is there a shortage of security people in the health care organizations that you've seen?

‍

SIGLER: Definitely, definitely. And I think there's a shortage of security people everywhere. There are a lot of younger generations coming up and I love to see what these kids are doing. I call them kids. They're in their 20s. Now by but, you know, they're doing some really great stuff. But I think in general security at any organization is such a difficult and unique problem at every organization. That even when people do get talented security people in the organization they have a hard time retaining, they have a hard time keeping them because the resources aren't invested. So hey, we hired this amazing security person there. They're going to be doing braids, you know, she's got 20 years in the industry and she's gonna lock everything down. You know that. The joke back in the day was that, what security team have one? It's a scapegoat. So they're hiring this person. There's the they're providing, like, look at how serious we're taking security now. But then that person gets no resources. It's no budget. It's no team to work with. It's no direct contact with board or administrators. Or even you know, how the business model is set up for that specific organization. So I think there is a definitely a talent that we definitely need a lot more people in the security industry, but I think there are a lot of really great security people out there that are just getting burned out. Because they just aren't getting listened to. I'm still getting a lot of the same advice that I was getting in the 90s and and will probably give you that same advice and another 10 years out.

‍

[Music]

‍

VAMOSI: So what can be we do about this? Karl mentioned auditing, and I know that's kind of intimidating, particularly as I just said, the diversity of what a healthcare organization is dealing with. It's not as simple as just running in math or anything. It's it's requires a little more nuanced than all of that.

‍

SIGLER: Oh, yeah, it's, it's very difficult if we could just run NMAP and just dump the X. The output to CSV will be great, but no, I and there's all kinds of situations where we see things where systems are set up as just ipv6. They don't even have an ipv4 address so they sort of fall through the cracks. If you're not looking for ipv6. Heck, we ran into one network that still had a Novell network running IPX would they IP IDX bridge for some legacy finance system that they had. So finally, these systems can be very difficult. You have to talk to people you can't just run an automatic scan. It can be extremely difficult to get them which is why a lot of people don't maintain a proper inventory. But once you figured out how to do it for your organization, write it in stone and keep it up because starting over from scratch again, it's just it's a no win situation.

‍

VAMOSI: And sometimes, just to make a winnable proposition, some audits begin to exclude things that should be excluded. 

‍

SIGLER: So the hospitals actually have to take the proactive measure of figuring out what they have. inventory itself is a hard issue. Figuring out what level it's at what patches are available, and keeping that up to date ongoing consistently. And a lot of them are just informal processes kept on Excel spreadsheets. It gets lost when you have that type of situation. I think, might have been Juniper recently. That's a scan of about 200,000 medical devices as part of some research that they were doing, and discovered that 75% of them did not have patches installed that were already available. So despite the fact that the patches were available, people aren't aren't applying them. You know, we see that regularly in networks. But in when you're talking about medical devices, and we're talking about healthcare networks, there's so much that so many things that people don't think about, you know, they're changing bursts because there are compliance laws that they have to work with, you know, they can't take the chance of blue screening a system because the patch was faulty. So they have to test those patches out first, before they can put it on the system because there's there's lives at stake here. So they will not make any changes unless they absolutely have to. Unfortunately that posture also introduces a lot of risk and security issues as well. So it's, it's a hard thing, but it's you know, it's something that we really have to take seriously because as bad as patching is with just physical systems where we can do a network scan with these medical devices, often they're even excluded from from the scans to find out what's out there.

VAMOSI: So I'm curious, you said ipv6 and I'm still thinking that that's in the security by obscurity column. But apparently it's gotten more mainstream.

‍

SIGLER: Because everything gets an ipv6 address, whether you like it or not. A lot of you know we see situations in fact, there's a blog post, I can send you if you're interested. We actually talked about this from our Red Team pen test side, because they see this all the time. And we find that in trying to lock down a network administrator say oh, you know, this system doesn't even need to be connected to the network. So just remove the IP address. The only remove the ipv4 address and the ipv6 is still there. So we start to see these lone ipv6 addresses. And when we investigate the system, the network owners like that's as soon as you get on the network, what are you talking about? Everything has an ipv6 address it just unfortunately, a lot of us don't realize that because we really, really should. It definitely opens up holes.

‍

VAMOSI: And attackers are looking at ipv6. They are targeting systems.

‍

SIGLER: You better believe it? Absolutely. They they know about those holes. They know about those gaps. And if they see anything a little bit unique one off ipv6 is definitely better than 8000 or 800. IP before us. something interesting is going on there. That's the definite red flag.

‍

VAMOSI: A lot of this information is not healthcare specific, right?

‍

SIGLER: Again, you know, this is healthcare specific, but there's a lot of information in here that I think is applicable across all industries. I don't think this is necessarily specifically unique to healthcare. I mean, obviously, your hospitality industry isn't going to have any infusion pumps. But, you know, the general attack flow, the general gist and how these threat actors operate, I think is really pretty much across industry. So I think there's a lot of information in here in general, and hopefully, it's a no a call to action to just take a look at your security organization. Make sure that it's working the way it should be. Have a meeting and talk and make sure that people are paying attention to

‍

VAMOSI: I’d like to thank Karl Sigler for talking about hacking healthcare devices and the rise of ransomware against health delivery organizations. 

‍

The Hacker Mind is brought to you every two weeks commercial-free by ForAllSecure, makers of Mayhem Security, an application software testing solution for applications and apis.  Learn more about Mayhem at mayhem.security.

‍

For the Hacker Mind, I’m Robert Vamosi.

‍