The Medical Device Hijack Story You Need to Hear

A new report finds that medical devices are the most vulnerable points on a hospital network and are being hijacked by bad actors overseas looking to gather sensitive data.  

Arundhati Parmar

The medical device industry doesn't pay particular attention to cybersecurity.

But a recent report highlighting medical device hijacking at hospitals might make people sit up and take notice. 

TrapX Labs, a division of TrapX Security, published an Anatomy of an Attack report on the healthcare and medtech industry by analyzing three instances where medical devices were hijacked using malware at three separate healthcare institutions. The goal in all three is to use the device vulnearbility to steal data from the hospital network.

What's even more alarming is that hospital personnel were not aware that the devices were infected with malware. 

TrapX did not identify the institutions where the MEDJACK - the term it uses to describe the hijacking of medical devices - occurred, but found that devices involved were a picture archiving and communications system (PACS) in one healthcare institution’s radiology department, a medical x-ray scanner in the radiology department of a second institution and several blood gas analyzers in a third healthcare institution’s laboratory department that served critical care and emergency services.

TrapX Labs personnel also found that once the malware was removed, these same devices could be re-infected very quickly. In these examples the attacks came from Europe and Asia Pacific. 

Here's how Moshe Ben Simon, co-Founder & VP, TrapX Security, as well as general manager, TrapX Labs described the hijacking:

In the first analysis of blood gas analyzers being hijacked, TrapX security products installed in the hospital revealed the breach. The report describes this healthcare institution having strong security systems and experienced IT professionals. 

TrapX acquired an older version of the product from Nova Biomedical  - one of the makers of the blood gas analyzers hijacked in the hospital - to test its vulnerabilities and found that data was not encrypted. The report goes certain lengths not to assign blame on the manufacturer noting that "medical devices are FDA approved devices and additional software for cyber defense cannot be easily integrated internal to the device –especially after the FDA certification and manufacture."

Still, the report does charge more generally that, "We have observed that in some cases, the medical device manufacturer technicians are not trained or skilled sufficiently to handle complex security issues within an installed unit and prefer to instead replace the unit."

After running tests on an older version of a Nova Critical Care Express unit, TrapX professionals found that once hijacked, measurements could easily be manipulated even though in the hospital attack that had not occurred. Rather the device was used as a backdoor to enter the hospital network and gather information such as passwords.

In the second instance a picture archiving and communications system (PACS) had been hijacked at another hospital unbeknownst to hospital IT staff. This had occurred when a user within the hospital network had visited a malicious website. Finally, the third instance involved an X-ray system within a lab becoming infected with advanced malware. 

The main source of the problem seems to be that per FDA requirements, medical devices are closed systems and hospital staff cannot install 3rd party software on them.

So given the vulnerable ecosystem, what's to be done? TrapX has specific recommendations for healthcare institutions. Here are the top three:

The implication is clear. The onus is on hospitals and healthcare systems to push device makers to do more to make their devices more secure as they do not have access to the devices' operating systems. Here's Simon advising hospitals:

However, FDA also has a role in cybersecurity of devices and the report suggests that it can do more.

"The FDA also needs to consider taking the initiative to further spell out the responsibilities of the medical device manufacturers if and when dangerous malware infections such as the MEDJACK attack vector are suspected. Government intervention may be a necessary part of the solution to remediate and resolve MEDJACK," the report declared.

What becomes increasingly clear in the report is that bad actors are currently hijacking medical devices to acquired passwords that can be sold for top dollar but it is perfectly possible to actually manipulate these devices with disastrous results for patients.

Arundhati Parmar is senior editor at MD+DI. Reach her at [email protected] and on Twitter @aparmarbb