Malicious actors have been leveraging medical devices deployed in hospitals as key pivot points within the targeted institutions’ networks. Since threats are not easily detected on such systems, experts believe a lot of healthcare organizations are infected with malware that has remained undetected for a long time.
TrapX Security, a company that specializes in deception-based cyber security defense, has prepared a report detailing an attack vector dubbed by the firm “MEDJACK,” or medical device hijacking.
Recent studies have shown that the healthcare industry is increasingly targeted by malicious actors, particularly because medical records are highly valuable on the black market. A report published by the Ponemon Institute and ID Experts last month estimates that breaches cost the healthcare industry $6 billion annually.
Attackers are aware that medical devices are the easiest and most vulnerable entry point. This is demonstrated by three incidents analyzed by TrapX in which healthcare institutions were the target of persistent cyberattacks.
The medical devices found in a hospital are connected to the organization’s network just like regular computers. However, securing medical devices can be problematic because they should not be tampered with for safety reasons.
The networks of healthcare institutions are usually protected with firewalls, antivirus software, intrusion detection and other security systems. However, there’s not much an organization can do when it comes to identifying or removing malware from medical devices, TrapX said.
Medical devices are closed devices that often run outdated and vulnerable software. This makes it easy for malicious actors to breach them, while making it difficult for defenders to detect and remediate an attack.
The first persistent attack analyzed by TrapX involves a hospital where the malicious actor compromised three blood gas analyzers. The attackers used these devices to establish a backdoor to the hospital’s network and for lateral movement.
The attackers installed additional malware, such as Zeus and Citadel, and stole an undetermined amount of data records from the organization’s network without being detected by existing security solutions. The stolen information was sent to a server in Europe.
The second case study details an attack involving picture archive and communications systems (PACS). Because PACS provides a hospital’s radiology department with images from multiple devices (e.g. CT, MRI, X-Ray and ultrasound equipment), the system is linked to the organization’s entire network. This makes it a perfect target for cyberattacks, experts noted.
By infecting the PACS, the attackers managed to gain unauthorized access to a workstation used by a nurse. The malicious actor then managed to exfiltrate data without being detected. In this case, the stolen records were sent to a China-based server.
Researchers determined that the attackers breached the organization after an employee visited a malicious website set up to deliver malware. The threat was removed by the hospital’s security systems, but not before it infected the PACS. Because the PACS could not be scanned and remediated, the system became a pivot point for the attackers.
The third attack analyzed by TrapX was similar, but the cybercriminals leveraged an X-Ray system.
Considering that none of these organizations detected the breaches on their own, the security firm believes that a large majority of hospitals are currently infected with malware that has remained undetected for months and possibly even years.
“TrapX strongly recommends that hospital staff review and update their contracts with medical device suppliers. These contracts should address the detection, remediation and refurbishment of medical devices sold by the supplier that later become infected by malware,” said TrapX Security co-founder and vice president, Moshe Ben Simon. “Hospitals must have a documented test process to determine if their devices have become infected, and suppliers must have a documented standard process for remediating and rebuilding devices when they’re exploited by cyber attackers.”