Wait, a Robot can Take My Blood Pressure?!?!

              For blog 5 I decided to focus on something straight out of Sci-Fi since yesterday was May the 4^th (May the Fourth be with you). In this case, I looked at how the robotics industry is starting to take over health care. There was a time when there were less electronics in the hospitals and more work being done by the actual nurses and doctors. That isn’t to say they are not doing a lot of work today, but look at simple tasks like taking blood pressure. They can put a simple machine on your arm and it does everything for the nurse and they just need to write down the values. I had my gall bladder surgery, and while it wasn’t performed by robots, it was done by new tools that made it less likely for complications. In the past, the surgeons would have to cut you open leading to a much longer recovery time. I was off from work for one week. With that being said, now gall bladders can be removed by robots. A trans-Atlantic surgery occurred in 2001 “when teams of fiber-optically linked surgeons in New York and Strasbourg, France, robotically removed the gall bladder of a 68-year-old woman using robotic arms” https://www.asme.org/engineering-topics/articles/robotics/robo-doctor-will-see-you-now. The tools in the image below are actually shown being used on YouTube: https://www.youtube.com/watch?v=aA3EVXdB3aE.

              Watching this video fascinated me. To think a robotic arm could be so delicate. Just watching the surgeon’s hands use the machine was quite fascinating. The robot in this video, da Vinci was the robotic machine which actually has been approved by the FDA in 2000. The possibilities of robotics seem to be unlimited at this point. I start thinking of the movie Elysium from 2013 in which a machine could diagnose a little girl and cure her without any assistance from a doctor or surgeon. If you haven’t seen the movie here is the clip: https://www.youtube.com/watch?v=RyMoJHf7rCQ. Of course, I feel as though we are a long way from that occurring, but da Vinci is just a small step on the way to get there. Surgery isn’t the only place we could see robotics occurring in the surgery.

              What if your nurse was a robot? Robots “can now patrol hospital hallways on more routine rounds, checking on patients in different rooms and managing their individual charts and vital signs without direct human intervention” (https://www.asme.org/engineering-topics/articles/bioengineering/top-5-medical-technology-innovations). This is a huge asset to nurses and doctors who are typically over tasked. They could be used clean and sanitize rooms, pour patient medicine dosages, and even draw blood (https://www.healthcare-administration-degree.net/faq/how-are-robots-changing-healthcare/). The draw blood one I find extremely intriguing as I have had several nurses in the past apologize for sticking my arm repeatedly to find a vein. The simple fact is that robotics are making the healthcare field safer and less troublesome. This can be a huge benefit to the medical field and staff. Of course, these robots won’t actually replace doctors any time soon.

              The cost of such devices would be astronomical. I mean looking at an MRI I had, it cost $2,500 dollars. That was for 30 minutes. Thankfully, I have good insurance and didn’t have to pay and that much. That was a simple scan though. Robotics surgery is a little more intrusive, and thus more expensive. The da Vinci machine itself costs around $2 million, and the surgery itself can cost $3-6K more than the non-robotic surgery (https://www.healthline.com/health-news/is-da-vinci-robotic-surgery-revolution-or-ripoff-021215#2). Most hospitals cannot afford that type of cost. There is another issue of security. Since my blog is based upon security in the healthcare, I will turn my focus towards security with regards to robotics.

              Robots are computers, much more advance programming to be sure, but still computers. Thus, they are vulnerable to malware and viruses are like a normal computer. In fact, a popular robotic operating system was shown to be vulnerable to injection and eavesdropping attacks (https://www.roboticstomorrow.com/article/2018/04/securing-the-robots/11719). The same article also states that several robots “had insecure connections, authentication issues, missing authorization schemes, weak cryptography, weak default configurations and were built using vulnerable open source frameworks and libraries”. Researchers were actually to intercept and change the commands sent by the doctor causing the robot to become jerky and hard to control. I’m not entirely sure I would want a robot performing surgery on me to suddenly go haywire and start jerking while cutting into me.

              Now imagine that there was a robot dispersing your medications, and suddenly was “hacked” and gave you a medicine you were highly allergic to. Or, one of those robots going room to room could change the drip that is going into your IV. I have already shown in previous posts that medical devices could be hacked. Robotics would be no different. The truth of the matter is that if there is an operating system it could potentially be hacked. I think that is why it is even more important to build security into systems and not an afterthought, especially with systems that are in control of our lives.

              I personally am all for robotics in the healthcare field, as I do think they can make the lives of doctors and nurses easier, and less stressful for them. A doctor or nurse that isn’t running around like a chicken with their head cut off is typically a friendlier person. Although, I’m not sure I am ready for robots to go around taking my blood while giving me bedside care. Sometimes, I feel like the face to face still makes me feel a little more comfortable and at ease, especially at a place I typically dread going to anyways.

Figure 1 https://qz.com/989137/when-a-robot-ai-doctor-misdiagnoses-you-whos-to-blame/

NIST Special Publication 800-66 Rev 1 and How it Applies to HIPAA

             For this blog (#4), I decided to write about a National Institute of Standards and Technology (NIST) publication, in particular NIST Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which can be found here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. I have talked plenty about breaches to the health care industry in my past post, and why companies should follow HIPAA rules. I have also discussed the consequences and punishments for not following it. What I haven’t really discussed though is how companies should implement the HIPAA security rule. So, this is where this blog will focus on.

              The publication starts with a background. It states which entities does the Security Rule apply to. This includes health care providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors. It also discussed the NIST management framework (as shown below) and how it links to the Security Rule. It does this by providing a wonderful table that describes not only the phases and descriptions of the Risk Management Framework (RMF) steps, but also how it links to the Security Rule in particular. For example, in step one, categorize information systems, the link to the security rule is: “Identify assets and information systems that create, receive, transmit, or maintain EPHI”. 

Figure 1 NIST Risk Management Framework (NIST, 2008)

It then provides several different considerations when applying the HIPAA Security Rule. This is broken down into several sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures and Documentation Requirements. All of these sections are then broken into smaller sections. I will discuss a little about each section to provide an overview of what this document provides.

              The administrative safeguards include nine separate subjects with topics such as: security management process, assigned security responsibility, workforce security, contingency plan, etc. Each section has key activities that must be implemented to prevent, detect, contain, and correct security violations which is the HIPAA standard. One of the key activities in the security management process is to develop appropriate standard operating procedures. The description is to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. The guide also provides sample questions to help implement these activities. Such as “How will exception reports or logs be reviewed”. All the remaining sections and subjects are broken into a table form that provide an easy way to ensure compliance. An example of the table is shown below.

Also, not that above each section, there is the specific HIPAA standard that the key activities correspond to. The above is from the Assigned Security Responsibility section. This entire document does this for all the HIPAA standards that must be followed.
              There are four physical safeguards that are mentioned in the document. One of the most important in my opinion is the facility access controls. Protecting physical access to information is just as important as technical access. Typically, when you go to a doctor’s office, they take all your information down and add it to your chart. Often, the nurses then put it outside for the doctor to grab before they come in. Now as I have never actually looked there, I could only imagine it could provide some usual information to someone who just went through taking them as they moved along. This is why controlling access to floors are wings is important. This is what this section does. One of the key tasks is to develop access control and validation procedures. Basically, how does an organization validate those who need access. The rest of the physical control section deals with workstation use and security as well as device and media controls.

              Finally, as far as controls are concerned there are the technical controls. There are five separate controls that should be implemented. One that I want to discuss is the audit controls section. The reason I mention this is because this document is very helpful to an organization in that it provides an auditing section which helps an organization actually audit their system. One key task is to develop appropriate standard operating procedures. This is made easier because a lot of these procedures can be made by using this NIST publication.

              The last two sections are the organizational requirements, which deal primarily with contracts and group health plans, and policies and procedures documentation requirements. This section is of particular importance because following policies and procedures is the way to ensure that these controls are being implemented and followed. The documentation is also proof that the organization is doing this. One of the most important aspect key activity to both of these subsections it the updating of the policies and procedures and documentation. It is completely useless to create a policy and procedure or document it and never look at it again.

This NIST SP is extremely useful to any health organization. The description of the key activities and associated sample questions can help any organization implement the HIPAA standards. It should also help when it comes to auditing to ensure that a company is following the guidelines because this is almost a checklist. It makes little sense for a company or organization not to follow these guidelines.

How to Apply Ethical Hacking to Healthcare

So for blog #3, I decided to write about ethical hacking since I took a boot camp and retrieved my certification just a week ago. The reason I am going to discuss this with regards to healthcare is specifically the vulnerabilities I have addressed in past blogs, and how ethical hacking could have been used to prevent this incident from happening. First I want to talk about the boot camp for Certified Ethical Hacker itself.

The class taught us first how to conduct open source intelligence collection. In other words it taught us how to look at websites for information that may be helpful to a pet tester. For example, the pen tester may find organization charts, or the email address format. They can search information on specific employees. For example, using myself as an example. If you search for my name, typically you find a lot of information that shows I am an avid runner, including race results and even pictures of me running. You can also see that I am a Cubs fan and a fisher, just off of pictures using a Google search. You can see my LinkedIn profile that shows my profession. There are also webpages that show I have supported a respiratory health charity. You can find that I am a Florida State Alum. All of this is information that can be used against me to attempt to send a spear phishing email to me. In fact this has been used against me.

A year or so ago, someone spoofed what appeared to be a friend’s email. The name that showed up appeared to be a family friend. Inside the email itself, was a link for information about a “race”. Even the wording was crafted quite well, and stated something along the lines of, “Hey Steve I know you love running in races, here is this one I just found, <link>”. It even made it appear to be a charity run. Thankfully, I knew better. This family friend never emails me, so that sent up a red flag right away. I hovered over the name and saw that it was not her email address. I then hovered over the link and showed that it wasn’t to the page it says it was. All of the information they found about me, the attacker tried to use against me.

Had I fallen for this, chances are there could be malware that could allow the attacker backdoor access to my system. They could use exploits that were pre-written from certain software platforms like Metasploit (discussed later). Once they had this access they could continue to scan my network for an internal network that might exist. They would scan for open ports and services to exploit. For example, EternalBlue which was used for WannaCry exploited an SMB vulnerability. For example, if I were to click on the link at work. They could then use open ports and services to traverse the internal network. At this point they would also want to establish persistence to ensure that even if I were to turn off my computer, when I turned it back on, the computer would call back to the attacker.

Since the attacker had access, they could have used that backdoor to install a key logger that could record ever keystroke I typed. Maybe from there they then retrieve my banking username and password. They could compromise the camera on my computer and watch what I do (which is a reason I cover the cameras on my systems). All of these attack vectors we performed against systems in a lab. We also exploited wireless devices. The detail is a little more complex here, but basically you can catch and intercept traffic. Of course a lot of medical devices now have wireless capabilities, so you can see how this could become a problem. So how could this skill affect the healthcare industry? This is where WannaCry comes in as an example.

WannaCry struck in May of 2017. It searched for and encrypted 176 different file types (https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack). Then the attackers demanded a ransom on the order of US$300 in bitcoins to unlock the data. It especially affected the health care industry as evidence of Britain’s National Health Service. It specifically targeted Windows machines, in particular unpatched systems. It was known as EternalBlue which affected Windows systems from “XP to Windows 7 and various flavors of Windows Server 2003 and 2008” https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/.  An example of the code is show below:

The vulnerability was actually found a month before the attack began and a patch was created for it. Patches were even created for XP systems which were no longer supported by Microsoft. Yet, there were many companies and industries still using XP to conduct their work. Something else that I should point out, was this did not spread via phishing emails or social engineering campaigns. It directly exploited the vulnerability. In fact, below is a screen shot of the virus working.

As you can see the code sets up a back door into the system for the attacker to exploit.

            As an ethical hacker, someone can test these vulnerabilities directly. There are several tools to allow doing this. One of them we used in the boot camp quite a bit is the Metasploit Framework as discussed earlier. This tool has preloaded exploits that allow an attacker to “point and click”. For example, in the image below the user selected the external blue exploit, which was the exploit used in WannaCry, and did a show options. This shows the pen tester what information needs to be entered.

The only information the pen tester really needs to add is the receiving host IP address as the other information is typically default and works (unless the user modified things). All that needs to be done is fire the exploit. This exploit simply gives the attacker access to the system. From there they can do a lot of harmful malicious things. For a pen tester; however, this allows them to find these vulnerabilities to patch.

This boot camp offered me the opportunity to test vulnerabilities against a lab environment. It was interesting to see how easy attacks were to make against unpatched systems. It also showed us how hard it was to access patched and updated systems. In fact, some of the boxes, the only way we could exploit them was via phishing. Hence, as mentioned several times this is why the healthcare industry should hire pen testers to test their network and ensure they are patched. The boot camp was a week long and offered by ECCouncil. They provided a test voucher with the camp. I recommend it if you are interested in penetration testing.

             

            .