News Feature | June 10, 2015

Medjacking: How Hackers Use Medical Devices To Launch Cyber Attacks

By Jof Enriquez,
Follow me on Twitter @jofenriq

hack

Hackers are infecting a wide array of medical devices with malware and using them as pivot points to launch cyber attacks on healthcare IT systems, according to a report by cybersecurity firm TrapX.

Computerworld, citing the TrapX case studies, reported that hackers targeted at least three hospital systems by infecting devices and equipment with malware, creating a backdoor vulnerability called “medjack” (medical device hijack) that can be exploited by nefarious parties.

In the first case, involving an unnamed hospital, TrapX said hackers were able to plant malware in surgical blood gas analyzers. The hackers then used the equipment as a backdoor to find passwords throughout the hospital's IT system, and to leak sensitive information out of the system and into the Internet. Once established, the vulnerability allows hackers to manipulate unencrypted data stored inside the devices.

Another hospital's picture archive and communications systems (PACS) — which stores images from CT scanners, MRI scanners, X-ray machines, and ultrasound equipment — reportedly was used by hackers to move laterally into other parts of the hospital's network. The third case involved hackers creating a back-door access point through a hospital's X-ray system.

According to Computerworld, TrapX described many commonly used medical devices as "closed devices, running out-of-date, closed, often times modified and likely insecure operating systems such as Windows 2000, Windows XP or Linux."

TrapX claims that healthcare IT teams are unable to access the outdated software installed in the devices, making those devices alluring hacking targets and ideal pivot points from which hackers can launch future, system-wide attacks to acquire sensitive information about patients and organizations.

"Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack," said Carl Wright, executive VP and GM of worldwide sales for TrapX, in an interview with SC Magazine. "That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, creates a near perfect target for organized crime."

In its cybersecurity report, TrapX warned that, “medjack has brought the perfect storm to major healthcare institutions globally. Medical devices complimented by the medjack attack vector may be the hospital’s ‘weakest link in the chain.’”

Medical equipment and device manufacturers have been encouraged to beef up security features of their products amid a spate of hacking incidents targeting private and government IT systems.

Although the FDA has said it has yet to discover a case where a patient was directly harmed as a result of a cybersecurity incident, some experts believe it's just a matter of time. Plausible scenarios include insulin pumps being hacked to deliver a fatal dose of insulin, or defibrillators deliberately disabled and unable to deliver shocks to correct arrhythmias.

The FDA has been pushing device manufacturers to prioritize cybersecurity in the design and development of increasingly interconnected medical devices, and to collaborate on ways to mitigate the risks to patients and organizations. To that end, the agency has released guidance on cybersecurity for manufacturers, advising how to implement safeguards and respond to cyber threats.

Until devices feature more robust security defenses, experts believe cases of hacking and data breaches utilizing unsecured medical devices will become more common, especially as medical information can be worth 10 times as much as a credit card number, according to Reuters.

"This is going to get worse before it gets better," Wright told the news outlet.