Report says "overwhelming majority of medical devices deployed within medical facilities are susceptible in varying degrees." And there's an important reason why, too.
MEDJACK 2: It sounds like a movie title, but it's all too real.
A new report on hospital data breaches reveals that hackers are now increasingly targeting medical devices that use legacy operating systems with known vulnerabilities.
The second annual report by TrapX Security, MEDJACK 2 explains how attackers have evolved, disguising sophisticated attacks within old malware wrappers to invade hospital networks, steal sensitive patient data, and sell it on the black market.
The company based last year's report on three simulated cyberattacks to show how vulnerable hospitals and medical devices were. This year, it reported on three hospital case studies of actual attacks detected between late 2015 and early 2016. The attacks contained numerous backdoors and botnet connections, giving remote access for hackers to launch their attacks, and went undetected for months.
|Attend a roundtable discussion about cybersecurity, compliance, and patient privacy at the MD&M Minneapolis conference and expo, September 21-22, 2016.|
Windows 7 and later versions had eliminated the vulnerabilities that the old malware used by these hackers sought to exploit, so the worm was free to seek out older versions of Windows used by some medical devices, which usually do not have endpoint security systems, the report says. The hackers apparently repackaged and embedded new, highly sophisticated tools and camouflaged them within the old worm.
"Attackers are intentionally moving to old variants of attack vectors to specifically target medical devices knowing they have no additional security protections," the security company says in its report. "The malware propagated by the attacker(s) was never detected by any endpoint security software."
The report lists North American hospitals that had cyberattacks 2016. Hacked devices included systems used in radiation oncology, respiratory gating, fluoroscopy, picture archiving and communication, and x-rays.
Hospitals do not install software within the medical devices for technical and liability reasons, the report says.
"Tampering with an FDA-approved device might impact operation in some unknown way," it adds. "No clinician or healthcare institution administrator wants to take on that risk."
Healthcare is now the most frequently attacked industry, beating out financial services, retail, and other industries, according to the 2016 Cyber Security Intelligence Index report by IBM. Healthcare organizations are struggling to keep pace with the number and sophistication of the attacks, TrapX added.
The company recommended that healthcare organizations implement strategies that review and remediate existing medical devices, better manage medical device end-of-life, and carefully limit access to medical devices.
In January, FDA issued an updated draft guidance for OEMs developing and building medical devices, recommending that device manufacturers take a number of important steps:
- Apply the 2014 National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity;
- Monitor cybersecurity information sources to identify and detect vulnerabilities and risk;
- Understand, assess, and detect the presence and impact of a vulnerability;
- Establish and communicate processes for vulnerability intake and handling;
- Clearly define essential clinical performance to develop mitigation tools that protect, respond to, and recover from the cybersecurity risk;
- Adopt a coordinated vulnerability disclosure policy and practice; and
- Deploy mitigation tools that address cybersecurity risk early and prior to exploitation.
Nancy Crotti is a contributor to Qmed.
Like what you're reading? Subscribe to our daily e-newsletter.
[Sinister hands on keybord image by User:Colin / Wikimedia Commons, CC BY-SA 4.0]