Cybercriminals are taking advantage of hospital legacy system security vulnerabilities and are installing malware on medical devices such as blood gas infusers. The malware is used to steal data or launch attacks on other parts of healthcare networks. Specialist devices operating on hospital legacy systems are being attacked with increasing frequency and, in many cases, the attacks are going undetected for long periods of time. Once malware has been installed on the devices, hackers are able to conduct attacks from within the network.
The malware allows attackers to download a range of tools that serve as backdoors. They are able to move freely around the network and search for data. Many hospitals are completely unaware that their networks have been compromised and that they are under attack. When the attack is finally identified, it is often too late and data has already been stolen.
The Risk of Hospital Legacy System Security Vulnerabilities Being Exploited is Considerable
In the past few days, researchers at TrapX Security have issued an update to a security report that was first released last year. In 2015, TrapX Security warned of the risk of medical devices being targeted by cybercriminals and of hospital legacy system security vulnerabilities being exploited.
The company’s researchers explained that many healthcare providers had been attacked via their medical devices and warned that additional protections needed to be put in place to prevent the devices from being used to gain access to otherwise secure networks. Security researchers call the attack vector MEDJACK – short for medical device hijack.
Medical devices often run on hospital legacy systems which cannot be changed or updated. Hospital legacy systems security vulnerabilities are often allowed to go unpatched. Hospitals have addressed some of these vulnerabilities and have implemented a host of new security controls to block attacks and detect malware. However, TrapX Security has reported that cybercriminals are managing to bypass these new security controls using old malware.
Old Malware Being Used to Gain Access to Healthcare Data
Researchers have discovered that security software is failing to identify the threat from old malware. These old malware variants may not be effective against the latest operating systems which have had the vulnerabilities that they exploit plugged. However, they are still effective against hospital legacy systems.
The researchers discovered that some attackers had used the MS08-067 worm which exploits vulnerabilities in early versions of Windows. The vulnerabilities were addressed in Windows 7 and the worm is no longer considered a security risk. Even if security software detects the worm, since it is not believed to pose a risk it is either not flagged or the security alert is ignored. However, medical devices are vulnerable if they run on older operating systems. Attackers have also embedded highly sophisticated tools in the worm. Even if the threat is detected, security software does not recognize that the risk of attack is actually high.
TrapX Security has warned that these infections are going undetected for long periods of time due to a lack of security on medical devices or the operating systems on which they run. Consequently, attackers can steal sensitive medical data over long periods of time. Unfortunately, once a backdoor has been installed, it can difficult to detect. Many security systems do not scan medical devices for malware and lateral movement within the network is similarly difficult to detect.
To prevent attacks on medical devices, healthcare organizations should, as far as is possible, isolate the devices and only run them inside a secure network zone. That zone should be protected by an internal firewall, and the devices should not be accessible via the Internet. If patches and updates are available, they should be installed to address hospital legacy system security vulnerabilities. If medical devices cannot be updated and have reached end-of-life, they should be retired and replaced with devices that have the necessary protections to prevent device hijacking.