Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Medical Devices Used as Pivot Point in Hospital Attacks: Report

Malicious actors have been leveraging medical devices deployed in hospitals as key pivot points within the targeted institutions’ networks. Since threats are not easily detected on such systems, experts believe a lot of healthcare organizations are infected with malware that has remained undetected for a long time.

Malicious actors have been leveraging medical devices deployed in hospitals as key pivot points within the targeted institutions’ networks. Since threats are not easily detected on such systems, experts believe a lot of healthcare organizations are infected with malware that has remained undetected for a long time.

TrapX Security, a company that specializes in deception-based cyber security defense, has prepared a report detailing an attack vector dubbed by the firm “MEDJACK,” or medical device hijacking.

Recent studies have shown that the healthcare industry is increasingly targeted by malicious actors, particularly because medical records are highly valuable on the black market. A report published by the Ponemon Institute and ID Experts last month estimates that breaches cost the healthcare industry $6 billion annually.

Attackers are aware that medical devices are the easiest and most vulnerable entry point. This is demonstrated by three incidents analyzed by TrapX in which healthcare institutions were the target of persistent cyberattacks.

The medical devices found in a hospital are connected to the organization’s network just like regular computers. However, securing medical devices can be problematic because they should not be tampered with for safety reasons.

The networks of healthcare institutions are usually protected with firewalls, antivirus software, intrusion detection and other security systems. However, there’s not much an organization can do when it comes to identifying or removing malware from medical devices, TrapX said.

Medical devices are closed devices that often run outdated and vulnerable software. This makes it easy for malicious actors to breach them, while making it difficult for defenders to detect and remediate an attack.

Advertisement. Scroll to continue reading.

The first persistent attack analyzed by TrapX involves a hospital where the malicious actor compromised three blood gas analyzers. The attackers used these devices to establish a backdoor to the hospital’s network and for lateral movement.

The attackers installed additional malware, such as Zeus and Citadel, and stole an undetermined amount of data records from the organization’s network without being detected by existing security solutions. The stolen information was sent to a server in Europe.

The second case study details an attack involving picture archive and communications systems (PACS). Because PACS provides a hospital’s radiology department with images from multiple devices (e.g. CT, MRI, X-Ray and ultrasound equipment), the system is linked to the organization’s entire network. This makes it a perfect target for cyberattacks, experts noted.

By infecting the PACS, the attackers managed to gain unauthorized access to a workstation used by a nurse. The malicious actor then managed to exfiltrate data without being detected. In this case, the stolen records were sent to a China-based server.

Researchers determined that the attackers breached the organization after an employee visited a malicious website set up to deliver malware. The threat was removed by the hospital’s security systems, but not before it infected the PACS. Because the PACS could not be scanned and remediated, the system became a pivot point for the attackers.

The third attack analyzed by TrapX was similar, but the cybercriminals leveraged an X-Ray system.

Considering that none of these organizations detected the breaches on their own, the security firm believes that a large majority of hospitals are currently infected with malware that has remained undetected for months and possibly even years.

“TrapX strongly recommends that hospital staff review and update their contracts with medical device suppliers. These contracts should address the detection, remediation and refurbishment of medical devices sold by the supplier that later become infected by malware,” said TrapX Security co-founder and vice president, Moshe Ben Simon. “Hospitals must have a documented test process to determine if their devices have become infected, and suppliers must have a documented standard process for remediating and rebuilding devices when they’re exploited by cyber attackers.”

Related: Healthcare Industry Challenged by Data Breaches, Compliance

Related: Data Breach Costs Rise, Healthcare Industry Hardest Hit

Related: Chinese Hackers Blamed For Attack That Exposed 4.5 Million Hospital Patients

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.