Hospitals Falling Victim to Old Malware

Security experts confirm that a growing number of cyber-attacks continue to hit hospitals threatening unpatched medical devices.

In late 2015, MaineGeneral Health, a new state of the art hospital located in Augusta, Maine, reported that it had fallen victim to a cyberattack that leaked the names, addresses, and phone numbers for patients of its radiology services since June 2009.  The attack is one of many in the past year where targeting of the medical industry, particularly hospitals, is on the rise. According to MaineGeneral Health, the hospital had a robust security plan in place and were continuously patching network vulnerabilities.

Though there are little details about the specifics of the breach, the fact that the radiology department was the epicenter of the breach may lend clues as to how the attackers were able break through the hospital’s defenses.

In February 2015, a dire warning was published in the American Journal of Roentgenology stating that Radiologists and the medical industry “need to urgently review and rectify security issues in existing networked medical equipment.” The team behind the warning found that forty-four percent of the 144 devices it test had a least one critical vulnerability and at least eighty-three percent had at least one high-risk vulnerability.  The team noted other significant findings such as unsecure USB ports and insecure implementations of VPN access.   Later in September, security researchers Scott Evren and Mark Collao demonstrated at DerbyCon how easy it was to find misconfigured medical devices using the Shodan search engine.  Conducting searches on terms such as “radiology” yielded a hackers treasure trove of Internet connected and misconfigured medical devices using default passwords and usernames set by the manufacturer.

Just this week, TrapX Labs, a San Mateo based security research group, released a follow-up to its May, 2015 report on the cyber-attacks against hospitals through unpatched medical devices, drawing attention across the medical industry.  MEDJACK, TrapX’s code name for medical device hijacking, is the art hiding of sophisticated cyberattack tools in legacy malware. In its research, TrapX discovered hackers hiding their tools in an old variant of the Conficker worm.  Because of its age, the worm largely goes unnoticed by network defenses but easily infects legacy software often found on medical devices.

These devices are difficult to patch or sometimes ignored by security teams who delegate patching to vendors because of contractual agreements.  Once infected, a Radiation Oncology system becomes the gateway for hackers and a pivot point to launch more sophisticated attacks against your network.

TrapX’s report comes at a time where the Healthcare industry is reeling from a series of high-profile attacks. Hollywood Presbyterian Hospital, Methodist Hospital in Henderson, Kentucky, Chino Valley Medical Center, and Desert Valle Hospital are just but a few of the medical facilities hit with a wave of Cryptolocker attacks, costing an untold amount in ransom and cleanup. Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March.

Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March.  According to one report some 35,000 employees could not access emails or access patient records.  Cybercriminals behind the attack demanded 45 Bitcoins, at the time worth US$45,000, to unlock its systems and threatened to destroy the private key used to encrypt MedStar’s data if payment wasn’t made within ten days.  Interestingly, the hackers also gave MedStar the option of releasing one computer at a time for 3 Bitcoins – how nice of them. It’s unknown whether or not MedStar paid the ransom or not but reported four days later they had recovered “90 percent of its functionality.”

The medical industry has become a fertile ground for cybercriminals and an industry that appears to be left lagging behind other critical infrastructures that have focused on hardening its networks for years, like the financial services industry.  Hospitals are a smorgasbord of personal identifiable information and payment systems that make it attractive for snoops, thieves, and extortionists alike.

Security initiatives in hospitals are mainly driven by privacy and compliance initiatives, which may explain the industry lagging behind others in building robust defense mechanisms.  With 5,627 registered hospitals in the US alone and more than half being not-for-profit community hospitals operating on tight budgets, it is no wonder why security measures are falling behind, but relief may be on its way.  In December of last year, the US Congress passed a US$1.1 trillion spending

In December of last year, the US Congress passed a US$1.1 trillion spending bill that funds the establishment a healthcare industry cybersecurity task force.  In April, NIST fellow Ronald Ross promised that new best practices for the medical industry are forthcoming putting into motion new privacy and security controls that may help hospitals protect their networks.

TrapX concludes its report with a series of best practices that the medical industry can initiate today.  Network segmentation and device isolation, good patching plans, and choosing vendors that have a focus on securing there devices are a good place to start.  However, until new industry-wide programs and funding are in place, it is likely attacks against the medical sector will continue to increase.

Written by: Rick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hospitals, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]