The trend of cyber crime is intensifying, as medical devices are used to infiltrate hospital networks. Cybersecurity experts examine how the latest attacks are growing more sophisticated and what healthcare networks and medtech vendors should do to fight back.
Cybersecurity experts have been keeping a close eye on cyber attacks within the healthcare industry, and the news isn't good for medical devices. In a new report, "Anatomy of an Attack--Medical Device Hijack 2" (MEDJACK 2), authors from TrapX Security made it clear that medical devices continue to be a source of weakness used by hackers to access hospital networks.
The report authors reviewed attacks that took place between late 2015 and early 2016 and highlighted the fact that the hackers used malware targeting older versions of Windows, making specific medical devices that still used these older versions prime targets. What's more, these devices do not have endpoint security software, and since workstations (with endpoint security software) using newer versions of Windows were not impacted, these attacks were not likely to be detected.
"Based upon the forensics from these case studies and others, we conclude that MEDJACK.2 attackers are intentionally moving to old variants of attack vectors to specifically target medical devices knowing they have no additional security protections," the authors wrote.
Take part in the roundtable discussion on "Cyber Security, Compliance, and Patient Privacy" at the MD&M Minneapolis Conference, September 21-22.
This week's report follows the publication of the MEDJACK 1 report a year ago, in which TrapX experts detailed situations where medical devices were hijacked to gain access to hospital networks. The latest MEDJACK 2report points to more frequent, evolving cyber attacks that continue to exploit medical devices.Carl Wright, executive vice president and general manager at TrapX Security, said in the report, "The attacker rapidly finds and exploits the medical devices to establish secure and clandestine backdoors from which to exfiltrate patient data, damage operations and then perhaps exit with a coup de grace such as a ransomware attack."
Greg Enriquez, CEO of TrapX Security, said in a press release, "MEDJACK 2 shows that MEDJACK 1 was not an anomaly but rather highlighted the beginnings of a growing trend, a trend that's become prevalent as attackers leverage sophisticated attack techniques to steal sensitive patient data while remaining undetected."
The MEDJACK2 report points out that in 2016 there have already been cyber attacks at 18 North American hospitals and outlines examples from three hospitals involving a variety of capital equipment and imaging systems, including a radiation oncology system, an X-ray machine, and a picture archiving and communication system (PACS). In addition to these particular systems, the authors noted that other vulnerable devices include diagnostic equipment, therapeutic equipment, life support equipment, and others, often using old operating systems and proprietary internal software.
These hospitals were not inexperienced nor were they turning a blind eye to cybersecurity. Rather, the authors pointed out that one had "a very strong security operations team" and "had previously engaged several penetration testing teams." Another hospital had endpoint security, intrusion detection software, as well as gateway and internal firewalls implemented. The third hospital had "considerable experience in cyber security . . . and were using their current technology consistent with best practices."
"Medical devices are 'black boxes' and their internal software operations are not visible to the hospital cyber defense team. They run out of date operating systems, such as Windows 7 or Windows XP which are highly vulnerable and almost completely unprotected," the authors wrote.
While attackers could use the medical device "backdoor" to corrupt device data, measurements, or performance, the authors also pointed out that attackers have primarily focused on stealing patient data.
There are a number of ways hospital networks and medical device vendors can combat cyber attacks. Here are some of the report's recommendations:
- "Isolate your medical devices inside a secure network zone and protect this zone with an internal firewall that will only allow access to specific services and IP addresses."
- "Implement a strategy to review and remediate existing medical devices now."
- "Implement a strategy to rapidly integrate and deploy software and hardware fixes provided by the manufacturer to your medical devices."
- "Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections."
- "Implement a strategy for medical device end-of-life."
- "Implement a strategy to update your existing medical device vendor contracts for support, maintenance and specifically address malware remediation."
- "Manage access to medical devices, especially through USB ports."
- "Evaluate and favor medical device vendors that utilize techniques such digitally signed software and encrypt all internal data with passwords you can modify and reset."
- "Improve your own ability, even when a device is selected, to allow your information security teams to test and evaluate vendors independent of the acquiring department."
- "Utilize a technology designed to identify malware and persistent attack vectors that have already bypassed your primary defenses."
Moshe Ben Simon, TrapX Security cofounder and vice president, said in the release, "Healthcare organizations need to implement strategies that review and remediate existing medical devices, better manage medical device end-of-life, and carefully limit access to medical devices. It becomes essential to leverage technology and processes that can detect threats from within hospital networks."
[Image courtesy of JSCREATIONZS/FREEDIGITALPHOTOS.NET]