Do No Harm. Matthew Webster
or WPA. This was back in 2003. Now WPA has had several different iterations—WPA, WPA2, and WPA3. WPA3 was most recently included in modern Wi-Fi devices in 2018. The upgrades in encryption are substantial between the versions, but each one was replaced partially because vulnerabilities were discovered in the system.
Vulnerabilities are not the only problem with Wi-Fi. Configuration is also a huge problem. Many systems are configured to be encrypted. This is important because anyone in range can sniff the traffic over that connection. Having performed many Wi-Fi assessments myself, I know it is a very common problem. Interestingly enough I was just reading about a case where the FBI warned against using hotel Wi-Fi for work purposes because of the often-lax security standards in Wi-Fi configurations.21 Not every company gets Wi-Fi security right. Combine this with hospitals using IoMT systems for extended periods of times, and old insecure protocols in Wi-Fi are required to support older devices.
But let us switch to cellular systems. Right now, we are seeing the shift from 4G cellular technology to 5G technology. For many devices switching from one technology to another is not a huge challenge—often, but not always, it is a feature that can be plugged into a motherboard that can be easily replaced. But, as you may have guessed, cellular technologies are not without their vulnerabilities that can be easily exploited. One of the black market accessible devices are “Stingrays,” which are also known as International Mobile Subscriber Identity “(IMSI) catchers.”22 They are capable of interfering with cellular communications. From a hospital's perspective this is extraordinarily dangerous because some of their systems are dependent on cellular communications. In security shorthand, this is an attack on availability.
Another weakness in cellular technology is something referred to as SS7 and the IP version of the protocol known as SIGTRAN—protocols designed more than a decade ago. They were designed without considerations to modern security. No one had envisioned the widespread use of wireless technology. The current 4G protocol is based on Diameter. Diameter, without getting too technical, is a protocol that enables validation of technology, and sometimes users, over a network. Now it is built on the internet protocol, but is essentially only marginally better. But what is worse, in early 2019, a new flaw was discovered that allows attackers to intercept calls and track phone locations. This is true for both 4G and 5G cellular service,23 despite the newer protection in 5G.24
Several more pages could be devoted to exploring the intricacies of vulnerabilities in cellular service, but the point here is that cellular technologies also have vulnerabilities as a key aspect of the technology. But let us turn our attention to short-distance wireless communication—with exceptions, this typically means Bluetooth. Bluetooth development was initiated in 1989 by Ericsson Mobile in Sweden. The purpose of Bluetooth was essentially for wireless headphones. Of course, the uses for Bluetooth have expanded well beyond that (yes, including medical devices) to the point where it is almost ubiquitous around the world. What is unique about Bluetooth compared to other technologies is that it is easy to trick users into allowing a connection to a device. This process is so common that it has a name—BlueSnarfing. This brings the fallible human element to the security of systems in the environment. But what is more alarming is the sheer number of vulnerabilities that have appeared over the years. At the moment of writing this, in 2020 alone there have been 49 vulnerabilities found in Bluetooth. Many of the vulnerabilities allow for access to the full system. Four of them are from the applications designed to help with COVID.25
If you extend the timeline back to 2002 when the MITRE corporation was publicly tracking the vulnerabilities, at the time of this writing, there were 388 vulnerabilities. As fantastic as MITRE is, this is far from a complete list. For example, on March 3, 2020, the FDA released a warning about a set of vulnerabilities known as “SweynTooth.” SweynTooth affected certain medical devices that utilized Bluetooth Low Energy—in particular, pacemakers, glucose monitors, ultrasound devices, electrocardiograms, and monitors. This was not listed by MITRE.26 In a worst-case scenario the vulnerability can stop a device from working, or allow an attacker to access the device functionality, which is usually available only to authorized users.27 While the attack would have to be within a few feet, the Homeland scenario of stopping a pacemaker does not seem so farfetched.
The SweynTooth family of vulnerabilities was linked in part to manufacturers of microchips. Think of a microchip as a tiny part of a motherboard. This means that the fault may not be with the makers of the motherboards, but with some of companies that help with subcomponents of the motherboards. The challenges from a security standpoint are widespread to say the least.
NFC has a very short range—roughly 4 inches. As a result, it has a very unique place within the arena of connected medical devices. Some of the applications of NFC include logical access to medical information, Intelligent ID bracelets, tagging of medications, physical access, and so on.28 The tagged ID bracelets and other such items do not store medical information. That reduces the risk considerably, which is a good thing because there is no authentication within NFC. The risks concerning NFC generally are around two devices in active mode—where information can be transferred. For many uses, NFC is typically in passive mode for tagging purposes. While it is a huge help for hospitals, from a connected medical device perspective, the risks tend to be lower, but not zero. For example, in 2019, Android devices had an NFC vulnerability that exposed the devices to malware attacks and, worse, privilege escalation (which means anyone can do almost anything to the device).29 In most settings this is not a huge risk, but if you had a device that uses NFC, that could be a risk to all the other systems the device was connected to. In some environments, this includes protected health information.
Wired Connections
Wired networks have a very different security concerns than wireless networks, generally speaking. People can use devices to snoop wireless traffic, pretend to be an access point you would want to connect to in a local coffee shop, and so on. Wired networks, from a healthcare perspective, are generally where there is an aggregation of devices—where all the IoMT devices are located. Wireless networks are also where some of the other more breached systems are located. There are a host of problems related to wired networks, which will be discussed in Chapter 10, “Network Infrastructure and IoMT.”
The Cloud
Twenty years ago, most companies had their own electronic infrastructure to store, process, and transmit information. They had independent servers that had a one-to-one relationship to the operating system. Later, virtualized operating systems hit the scene, so many servers could be on one system. Now, due to business advantages, many companies utilize cloud services for the same purpose. In the cloud, systems are divided virtually and logically in cloud environments. The economics of scale within the cloud make a great deal of sense for many companies due to a principle known as elasticity. This means that systems can spin up and down both servers and can add and/or remove compute power to meet immediate demands. While traditional systems have virtualization technology, what most virtualization technology accomplishes is the ease of scalability. Traditional systems have to purchase the computing power, storage, and memory maximum that are required. With the cloud, these maximums do not need to be purchased. In the end, for companies who need this kind of elasticity, the cloud makes perfect sense. Cloud has proven a lifesaver for companies that have had to shut down or reduce their footprint due to COVID-19. They don't have expensive equipment to power,