Hackers of India

BREAKING BAD: STEALING PATIENT DATA THROUGH MEDICAL DEVICES

By  Saurabh Harit  on 06 Dec 2017 @ Blackhat


Presentation Material

Abstract

This talk discusses the risks of connected healthcare devices. It looks at the benefits of adopting IoT for medical devices, current exposure, common communication channels in use as well as interconnectivity approaches used with other critical components. Based off output from security assessments performed against medical devices widely deployed at various hospitals and medical institutions, I will present an in-depth analysis of the target medical device and elaborate on how I was able to compromise it to gain access to plethora of medical records from all the medical institutions it was deployed at and not just the one where our target device was hosted.

I will introduce the threat surface exposed by various medical devices and present some of the real-world attacks against some popular devices & their impact on humans as well as the overall ecosystem they are connected to. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices, but doesn’t provide security as implied in marketing materials. Others rely on standard Wi-Fi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $10 hardware.

There are many consumer items that fall under the umbrella of IoT and while it may be hard to understand the impact of hacking a toaster, we can all agree that manipulation of a medical device could lead to rather serious consequences. Apart from putting a patient’s life at risk, an attacker could compromise a healthcare device to steal patient data. This presentation will primarily focus on the latter with real-world examples and a case study. I will demonstrate the compromise of a healthcare device to steal medical records, which typically include PII, health insurance data, medical history, SSNs, prescriptions etc.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discussed their research on the security of an infusion pump, a medical device that connects to a network. They were able to send specific messages (types 2, 8, 20, 2008, and 238) to the pump, which allowed them to retrieve information such as drug names, dosages, and patient data. They also gained access to the master drug list, which contains sensitive information about patients and medications.

The speaker emphasized that security should be built into devices from the start, rather than added on later. Medical institutions should establish trust with devices before connecting them to their networks. The FDA is working on standards and regulations for device security, but more needs to be done.

Common security mistakes were mentioned, such as default passwords, unencrypted data, and insufficient authentication. Manufacturers should conduct security assessments during the design phase, and medical institutions should request security reports from manufacturers before purchasing devices.

The speaker also mentioned that their research is ongoing, with a focus on firmware issues and other medical devices. In response to a question, they revealed that the encryption protocol used in the infusion pump was proprietary and reversible, with a stored key.