RSNA 2016: How a guest wi-fi network creates security vulnerability

What if hackers of health systems’ computer networks weren’t looking to make money off ransomware attacks or identity theft, but they were instead aiming to harm patients? 

They might be to pull it off, according to one cybersecurity expert, if facilities fail to separate their networks.

Kevin Hemsley, project manager for the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) within the U.S. Department of Homeland Security, gave some startling examples of how a lack of network segmentation could harm patients at a presentation at RSNA 2016 entitled, “The U.S. Government and Medical Device Security.”

One example involved vulnerablities uncovered by security software company Codenomicon. The testers were able to gain access to the hospital’s clinical network, without needing a username or password, because it wasn’t segmented from the wi-fi network available to hospital guests, with “scary” results, according to Hemsley.

“(They) started off this little program, right on their little laptop out in the lobby. It sent out a broadcast which shut down every patient monitor in the hospital. Every single of them,” Hemsley said. “And it kept them from functioning until they turned off this attack.”

Other testers were able to disrupt particular devices in a hospital, like causing the readout of patient monitors at the nurse’s station to display incorrect information or even locking up an anesthesia monitoring device and requiring a full reset to restore function.

At one imaging facility, a vulnerability scan found 114 open ports that a hacker could use to gain access to a MRI control system—again, all from using the guest wi-fi network.

Hemsley hoped these frightening examples would motivate hospitals and health systems to boost their security, even if the software slows down their systems, and have a plan for when a cyberattack occurs.

“You need to prepare for the worst,” Hemsley said. “ Something will happen someday. You need to segment your networks, you need to perform regular backups, you need to update and patch your systems, but you need to do that in conjunction with your vendors.”

After the presentation, Hemsley said he wouldn’t recommend one common method of segmenting networks: virtual local area networks, or VLANs. This method may be easier to implement, Hemsley said, but hackers could easily “hop” from one VLAN, like a guest network, to another which includes medical devices.

“A lot of places that have a hospitality or guest network, they literally have a different internet connection for just that,” Hemsley said. “They let guests use that and it’s not tied to anything else. That would be my recommendation.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.