RSNA 2016: How a guest wi-fi network creates security vulnerability

What if hackers of health systems’ computer networks weren’t looking to make money off ransomware attacks or identity theft, but they were instead aiming to harm patients? 

They might be to pull it off, according to one cybersecurity expert, if facilities fail to separate their networks.

Kevin Hemsley, project manager for the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) within the U.S. Department of Homeland Security, gave some startling examples of how a lack of network segmentation could harm patients at a presentation at RSNA 2016 entitled, “The U.S. Government and Medical Device Security.”

One example involved vulnerablities uncovered by security software company Codenomicon. The testers were able to gain access to the hospital’s clinical network, without needing a username or password, because it wasn’t segmented from the wi-fi network available to hospital guests, with “scary” results, according to Hemsley.

“(They) started off this little program, right on their little laptop out in the lobby. It sent out a broadcast which shut down every patient monitor in the hospital. Every single of them,” Hemsley said. “And it kept them from functioning until they turned off this attack.”

Other testers were able to disrupt particular devices in a hospital, like causing the readout of patient monitors at the nurse’s station to display incorrect information or even locking up an anesthesia monitoring device and requiring a full reset to restore function.

At one imaging facility, a vulnerability scan found 114 open ports that a hacker could use to gain access to a MRI control system—again, all from using the guest wi-fi network.

Hemsley hoped these frightening examples would motivate hospitals and health systems to boost their security, even if the software slows down their systems, and have a plan for when a cyberattack occurs.

“You need to prepare for the worst,” Hemsley said. “ Something will happen someday. You need to segment your networks, you need to perform regular backups, you need to update and patch your systems, but you need to do that in conjunction with your vendors.”

After the presentation, Hemsley said he wouldn’t recommend one common method of segmenting networks: virtual local area networks, or VLANs. This method may be easier to implement, Hemsley said, but hackers could easily “hop” from one VLAN, like a guest network, to another which includes medical devices.

“A lot of places that have a hospitality or guest network, they literally have a different internet connection for just that,” Hemsley said. “They let guests use that and it’s not tied to anything else. That would be my recommendation.”