Details And Insight For VARs: Medical Devices And Security Risk

By Megan Williams, contributing writer

Medical devices are key targeted pivot points when it comes to cyberattacks. They are an area of notable vulnerability for all hospitals and healthcare networks that gives attackers the ability to inject malicious software and eventually remotely control your clients’ medical equipment.

To shed light on what actually goes on in one of these attacks, TrapX (a leader in the delivery of deception-based cybersecurity defense) has recreated an attack scenario, and released the resulting report series, “The Anatomy Of An Attack” as proprietary research into critical information security issues. (Report available here for download)

Solutions providers interested in detailed analysis on an actual attack, as well as identifying potential weaknesses of their clients will find this report particularly useful.

The Report

The report covers an overview of healthcare networks, case studies on three attacks (collectively referred to as “MEDJACK”), a recreation on the attack on the Nova Critical Care Express units, a review of the obfuscation of malware in healthcare attacks, as well as analysis and recommendations around responding to attacks and weaknesses.

It also explains:

• Why medical devices are critical points of attack
• How attacks happen
• How attackers extend command and control points into hospital record breaches over a period of time

Research comes from first hand data around incidents documented within the TrapX security operations center and focuses on attacks against devices that were installed on hospitals’ hard networks.

The Case Studies

Vendors will want to pay particular attention to the three case studies (beginning on page 13). The case studies feature attacks on:

• A blood gas analyzer
• Picture Archive And Communications Systems-PACS (where the customer had a “typical industry suite of cyber defense products” installed)
• X-ray systems

The Nova Attack

The report centers on the attack of Nova Biomedical and their Critical Care Express units, in which Zeus Malware and Citadel Malware were used to pull passwords from the hospital network.

To conduct their research, TrapX Labs pulled a used Nova CCX and used the device to recreate an attack with the purpose of documenting how that device could be used as a pivot point for installing malware. Specific devices that are targeted in hospitals include:

• PET/CT scanners and MRI machines
• Infusion pumps, medical lasers, and LASIK surgical machines
• Life support equipment

They are vulnerable because of their tendency to run standard and outdated operating systems along with the device’s proprietary internal software.

Executive Insight

According to TrapX general manager, Carl Wright, “Healthcare data presents an attractive target for organized crime. Healthcare records are the new credit card, providing cyber thieves much larger returns on their breach activities. MEDJACK enables them to exploit this opportunity rapidly and effectively target the largest healthcare and life sciences institutions on a global basis.”