After the Office of Personnel Management breach, medical data was labeled as the "holy grail" for cybercriminals intent on espionage. "Medical information can be worth 10 times as much as a credit card number," reported Reuters. And now to steal such information, hospital networks are getting pwned by malware-infected medical devices.
TrapX, a deception-based cybersecurity firm, released a report about three real-world targeted hospital attacks which exploited an attack vector the researchers called MEDJACK for medical device hijack. "MEDJACK has brought the perfect storm to major healthcare institutions globally," they warned. "Medical devices complimented by the MEDJACK attack vector may be the hospital's weakest link in the chain'."
In three separate hospitals, TrapX found "extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA)." But "there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart - lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more."
Hospital lab blood gas analyzer attack
Blood gas analyzers are often used in critical care situations or during surgery, the report said. An unnamed hospital had "a very strong industry suite of cyber defense products" which did not detect an attack, yet TrapX found that attackers were moving laterally through the networks due to three malware-infected blood gas analyzers that had "enabled backdoors into the hospital networks." The attackers were exfiltrating confidential hospital data to a location within the European Community. TrapX found Zeus and Citadel malware being used to find additional passwords within the hospital as well as other worm variants. TrapX believes the lateral movement "may have enabled the infection of one of the hospital IT department's workstations."
When the TrapX Lab team used a Nova Biomedical CCX (Critical CareExpress) unit to recreate the attack in a simulated attack environment, they discovered the data was not encrypted. They "determined that once an attacker has established a backdoor within our target blood gas analyzer, or any other medical device, almost any form of manipulation of the unencrypted data stored and flowing through the device is possible. In summary, it is the position of TrapX Labs that the MEDJACK attack vector has the potential to distort or change internal data."
The report explained that medical devices "are closed devices, running out-of-date, closed, often times modified and likely insecure operating systems such as Windows 2000, Windows XP or Linux. That's why the MEDJACK attack vector presents a highly vulnerable target to attackers on a global basis. The defenders cannot easily get in to detect or remediate an attack. On the other hand the attackers have an open door." So after "the attacker can get into the network and bypass existing security, they have a time window to infect a medical device and establish a backdoor within this protected (and safe) harbor."
Sign up for Computerworld eNewsletters.