Malicious hackers used unprotected medical devices to break into hospital IT systems in at least 3 instances discovered by a cybersecurity firm, as medical data becomes a holy grail for organized crime “medjacks.”
A trio of case studies by San Mateo, Calif.-based TrapX Security revealed that hackers can use medical devices linked to hospitals’ IT systems to break in and steal data.
“Medical devices have become the key pivot points for the attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data,” TrapX researchers wrote.
The attacks documented by TrapX included 1 that used a blood gas analyzer as the “pivot point” used to break into the hospital’s system. Another case involved a hospital’s picture archiving & communications system; in the 3rd the hackers used an X-ray scanner, the company said. Other common medical devices that could be compromised include PET scanners, CT scanners, MRI machines, infusion pumps, medical lasers, heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis devices, TrapX warned.
“Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The medjack is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution,”TrapX co-founder & vice president Moshe Ben Simon said in prepared remarks. “Trapx Labs strongly recommends that hospital staff review and update their contracts with medical device suppliers. They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyber attackers are using the devices.”
According to TrapX, the security gap that makes medjacking effective is that the cybersecurity run on hospitals’ protected networks can’t run on the medical devices, meaning that once the attacker breaches the network, bypassing existing security, they have a window to infect a medical device and “establish a backdoor within this protected (and safe) harbor.”
Remediating the breach is difficult because it requires access to the internals of the medical device, expertise not commonly found in either hospital personnel or the medical device reps that service the equipment, TrapX said.
“This access to internal memory may not be achieved without considerable support from the manufacturer. Or as we have seen, the healthcare IT team does not have access to these devices as they are maintained under contract and controlled by the medical device manufacturer,” according to the report. “Of course, standard support agreements between the hospital and the medical device manufacturer pertain to product functionality, but may not address infection by malware in the hospital’s networks nor to remediation and repair in these extreme circumstances. We have observed that in some cases, the medical device manufacturer technicians are not trained or skilled sufficiently to handle complex security issues within an installed unit and prefer to instead replace the unit.”
Organized crime’s new holy grail: Medical data
Data from medical records and personnel files, experts say, is worth a lot more to cybercriminals than, say, credit card information. And the U.S. Office of Personnel Management breach revealed yesterday suggests cyberspies may now also be finding value in it.
Cyber investigators from iSight Partners said they had linked the OPM hack to earlier thefts of healthcare records from Anthem, a health insurance company, and Premera Blue Cross, a healthcare services provider. Tens of millions of records may have been lost in those attacks.
All 3 breaches have one thing in common, said John Hultquist of Dallas-based iSight. While cyberespionage usually focuses on stealing commercial or government secrets, these attacks targeted personally identifiable information.
The stolen data “doesn’t appear to have been monetized and the actors seem to have connections to cyberespionage activity”, said Hultquist, adding that none of the data taken in the earlier attacks had turned up for sale on underground forums.
A source close the matter said U.S. authorities were looking into a possible China connection to the breach at OPM, which compromised the personal data of 4 million current and former federal employees. Several U.S. states were already investigating a Chinese link to the Anthem attack in February, a person familiar with the matter has said. China routinely denies involvement in hacking, and today a spokesman for the Foreign Ministry in Beijing said suggestions it was involved in the OPM breach were “irresponsible and unscientific.”
Hultquist said iSight could not confirm that China was behind the attacks, but similar methods, servers and habits of the hackers pointed to a single state-sponsored group.
Security researchers say that medical data and personnel records have become more valuable to cybercriminals than credit card data. The price of stolen credit cards has fallen in online black markets, in part because massive breaches have spiked supply.
“The market has been flooded,” said Ben Ransford, co-founder of security start-up Virta Laboratories.
The result: Medical information can be worth 10 times as much as a credit card number.
Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers. State-sponsored hackers may not be after money, but would also be interested in such data because they could then build a clearer picture of their target. That, said Philip Lieberman of security software company Lieberman Software, would increase the chances of any targeted email attack, or spear phish, successfully obtaining confidential data.
Others said that, given the data affected included job histories, those targets might be in other government departments. “It’s likely this is less about money and more about gaining deeper access to other systems and agencies,” said Mark Bower of HP Security Voltage, a data security company.
This interest in more granular data is pushing hackers of all stripes into more inventive ways of penetrating the defences of hospitals and other institutions holding such data. Other security researchers agreed that the type of attack unearthed by TrapX is becoming more common. Billy Rios, founder of security company Laconicly, said he had found infected systems while working with several healthcare organizations.
“Clinical software is riddled with security vulnerabilities,” he said.
A survey by think-tank the Ponemon Institute issued last month said that more than 90 percent of healthcare organizations surveyed had lost data, most of it to hackers.
“This is going to get worse before it gets better,” TrapX general manager Carl Wright said.
Material from Reuters was used in this report.