Healthcare is Facing a New Threat
IoT Devices Getting Bricked
A recent report from Bleeping Computers indicates there is a new strain of malware that is targeting unsecured devices that are part of the Internet of Things (IoT). The malware, called BrickBot, is targeting devices that run the BusyBox Linux embedded operating system. To accomplish its mission, BrickBot utilizes a brute force attack against open Telnet ports and then erases the operating system (a process also known as “bricking”).
A search of the BusyBox project site shows that a variety of projects and commercial manufacturers use BusyBox for their devices. This includes products from Cisco, Dell, Linksys, and NetGear. Depending on the type and purpose of the device, the potential impact of a BrickBot attack ranges from annoying (e.g. unable to watch your favorite Netflix show) to dangerous.
Potential Healthcare Impact
Beyond the personal and business impact, healthcare providers are faced with yet another threat to patient safety. As the number of medical devices that run embedded OSs continue to grow, so does the potential for a cyber attack affecting a device that is critical to patient care. Threats like BrickBot, which are designed to indiscriminately target and destroy consumer or business devices/systems, can easily bleed over to the healthcare environment. Even if the medical devices themselves are not the target, they (and the patients that are being diagnosed/monitored/treated by the devices) could easily becomecollateral damage
from an attack. As of the day we published this article, our research did not identify any medical devices that are currently using the BusyBox, but the fact that this type of threat exists in the wild should not be ignored or discounted.
Gartner predicts that by 2020 over 25% of identified attacks in healthcare delivery organizations will involve the IoT.
Comprehensive Risk Analysis
Since the Affordable Care Act was established in 2009, many healthcare providers and IT security consulting firms have been heavily focused on a HIPAA compliance centric approach to risk analysis. While important, these types of assessment tend to be focused on data breaches (PHI confidentiality). Even though there are compliance issues with threats like BrickBox, most would agree that patient safety is paramount. Our recommendation is to move to a comprehensive and quantitative risk analysis processes that address risk across multiple “dimensions” that include: privacy, financial and safety.
Adjust Your Models
For those organizations that are already performing quantitative risk analysis (e.g. using Open FAIR or another framework) they should review their models to ensure they account for this emerging type of threat, and adjust if necessary.
Medical Device/Clinical Engineering Device Management
Ensure your Medical Device / Clinical Engineering asset management process allows you to identify key elements such as Operating Systems and access control configuration.