With the healthcare system at the forefront of the battle against the coronavirus disease (COVID-19) pandemic, hospital integrity and security have become crucial now more than ever before. But is an old-school system for moving small items making hospitals vulnerable to hacking?
While most people would assume that hackable medical tools fall between CT scanners and pacemakers, security experts have pointed out that the pneumatic tube system may put a hospital at risk.
For those not familiar, the pneumatic tube system uses containers pushed through a tube network using compressed air. Also called pneumatic tube transport (PTT), this system dates to the 18th century for telegram delivery. Today, hospitals still use PTT to move documents, specimens, and drugs to and from labs and nurses’ stations.
The system sounds simple and useful. And despite its straightforward function, recent findings suggest that the Swisslog’s Translogic Nexus Control Panels, which many hospitals in the US use, can be prone to hacking.
Study Findings on Hospitals and PTT Hacking
The system’s weaknesses were published in a white paper by security film Armis and presented during Black Hat USA 2021. The report, authored by Barak Hadad and Ben Seri, says it’s crucial to look at three types of potential hackers. By doing so, one would see how the system can be at risk.
The first hacker type is someone who might try to tinker with the system physically. A hacker within the site can put the station at risk by messing with the panel’s SD card. If, in some way, the hacker gets access to the system’s panels, they could alter the system’s code. That means the person won’t need to have the tech skills to put the system at risk.
The second hacker type would be someone who has gained access to the internal network. It’s not hard to have hospital data hacked within an IP-connected system that isn’t encrypted. In fact, man-in-the-middle attacks can allow the hacker to access an IP network in order to alter packets that control the network.
Last but surely, not least are online hackers. At the most basic, the system doesn’t require the internet to function; in fact, the system only connects to the central server. However, it’s usual for the main server to have an outdated system, making it prone to attacks.
Making Hospitals Less Prone to Hacking
Some might wonder why hackers attack health care when there are other firms to target, like banks or financial firms. Whether it’s for espionage or hospital hacked ransomware, hackers target hospitals mostly to get info to sell on the dark web.
Before they presented the paper at Black Hat USA 2021, Armis informed Swisslog about the results of their study. In a statement, Swisslog said that they found the results to pose small risks to their product and clients. That said, they’re still working on short-term and long-term fixes with Armis to further strengthen their security. Swisslog also said that they’ve started rolling out fixes, and they will work with clients until they resolve all concerns.
Study co-author Seri stated that many health care firms tend to overlook PTT security. After all, many see the system as nothing more than a physical aspect of the building. In fact, most hospitals task operations teams rather than IT teams to oversee PTT maintenance.
However, Seri stressed that it’s an “always-on, internet-connected system” and thus needs digital defense as much as hardware care. Added to that, most health care firms buy the system as part of their 30-year investment. As a result, the systems could go untouched and without any updates for decades.
