Interview: Deral Heiland, principal security researcher at Rapid7 – ‘A lot of that data is going out the door’

We had a chance to chat with the report’s author on why medical device security matters and how the problem should be handled in the future.

Cyber Security Connect: Thanks for joining us, Deral. I’ve had a read of the report, and it’s pretty fascinating – if a little worrying – stuff. Can you give me a brief precis of what you were doing and what you were finding during your research?

Deral Heiland: The focus of the report was a systemic issue that I discovered while doing a broader security research project on infusion pumps last year.

During that process, I acquired a number of devices online, and when I was finishing up that project, I started noticing that these devices appear to still have data on them, such as Wi-Fi credentials and things like that, which was a little concerning. So I expanded it out, and I bought a number of devices. I think I ended up buying 15 or 16 devices over a three- or four-month period and started taking them apart and looking at the data and realised that a lot of these hospitals and medical organisations don’t appear to be following the process of cradle-to-grave on their technology.

This means when it gets to end-of-life, they’re just sending it out the door without consideration of the data that it could actually store and, basically, the paper kind of breaks that down – then we go into the technical part where it’s like, this is how you would do it. This is how the data gets off there. I find it important to have those proof of concepts in there.

And then, in the end, we talk about that as a systemic issue. How do we fix that? How do we think about policy processes, so organisations can better manage these embedded technologies that they’re dealing with on a day-to-day basis?

CSC: What kind of data were you finding on these older infusion pumps?

Deral Heiland: In this particular case, with these infusion pumps, the good thing was there was no health record data. So that was a good thing.

VIEW ALL

In one case where we found there was real live infusion pump data on these things, but those were tied back to a serial number, not to an individual, so only the back-end database record would know who that data belonged to. So that was a positive, but in the case of these pumps, we found Wi-Fi pre-shared keys. So what does that mean?

If you’re familiar with most organisations, when you age out a piece of equipment, you don’t necessarily go back and change the Wi-Fi passwords on every machine. You’re not aged out. Usually, the new tech coming in keeps the same thing. That’s my experience over 30-plus years. Unless you change the entire underlying infrastructure of every device, and you typically don’t do that.

So what does that mean from a risk perspective?

What it means is that companies are selling – or hospital organisations are selling – their gear or sending it out the door. Somebody could actually pull that data off there that would give them access to the biomedical health network, the network where critical care takes place, which to me is very concerning.

CSC: Now, this report is US-focused, but do you think this is more widespread than that? Could it be a problem in Australia, for instance, and how our healthcare system deals with these devices?

Deral Heiland: Yeah, I am 100 per cent confident that very few organisations are actually going through the proper de-acquisition procedures – they’re not purging the data off their devices before they leave the door.

And I expect whether you’re looking at these infusion pumps, or you’re looking at other infusion pumps, or you’re looking at other medical devices, embedded medical devices that actually get aged out and go out the door, I would expect on a large scale … A lot of that data is going out the door.

If we go back a few years, the whole thing was all over the news: hard drives. Companies were selling their devices and adding hard drives to ... Well, flash memory chips, these are the modern-day new hard drive. And these devices aren’t something you can easily pull out and destroy like a hard drive is. These are in small embedded chips that contain massive amounts of data. And all this data is being stored on these things.

Unless you go through the proper processes within the device itself to purge the data, it’s not going anywhere. It’s going to be there.

CSC: So, what’s the process regarding removing this data? Is it just too hard, is it doable and it’s just not being done?

Deral Heiland: I think most of the organisations, out of the three that I looked at two of them, I’ve 100 per cent confirmed with them that there are written processes in their documentation. With Alaris [a device manufacturer], I worked with their security teams, and they said, “Yes, it’s in the documentation”. It’s in there.

With the Baxter [another device], we actually helped improve some of the processes out of the research we did last year, to make it even better, because it turned out that the data … they had a procedure for purging it from the infusion pump, but the battery unit is a Wi-Fi thing, and it was actually still on those. So we got their processes and procedures all fixed from that. So they’re doing it.

Typically we’re seeing most producers, the companies producing these products, are starting to make sure that processes are in place to purge this data. Because this isn’t the first story like this. There have been other stories covering everything from police body cams to all kinds of things. So we’re starting to see more vendors think about their device from a technology standpoint and how they can take it to end-of-life properly and remove that data.

CSC: So, as usual, it’s the people in the system, not the system itself, that’s letting this data slip through the cracks?

Deral Heiland: Exactly.

CSC: So before we go, my usual question for folks in this field – as a security specialist, what keeps you up at night?

Deral Heiland: Vulnerabilities do not keep me up at night – because you know every piece of equipment, every piece of technology has vulnerabilities. What it all comes down to is, is the vendor proactive?

What keeps me up is … I think this is a prime example in this paper here. I think there are a lot of things that organisations are not doing, or organisations do not know about, and I’ve been kind of preaching these last few years when it comes to embedded technology. We no longer have hard drives – we have flash memory chips, and these flash memory chips go upwards of eight to 16 gigabytes in size, which is a lot of data. And organisations do not know what data is being stored on these.

A lot of times, they may not be able to 100 per cent confirm if the data is actually being purged. When you go through the purge process – is it truly removing it? So it’s those unknowns that concern me, and the fact that organisations just aren’t aware of this type of technology and what it means … We’ve spent our entire life dealing with hard drives, and we finally got comfortable with the fact that we’re not just going to give our hard drives away.

And now we’re back doing the same thing with more micro-size flash memory technology.

CSC: Thank you so much for chatting with us, Deral.

You can read Deral’s full report here: Security Implications from Improper De-acquisition of Medical Infusion Pumps.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.