This year has already been marked by data breaches at multiple major healthcare organizations, including CareFirst BlueCross BlueShield and Anthem. While these providers have pointed to various causes and attacks as the source of their compromises, not yet has it become prominent news that medical organizations' devices might be the true culprit behind many already and soon-to-be-discovered breaches.
A report from TrapX found that a majority of organizations are vulnerable, if not already victim to MEDJACK, or “medical device hijack.” Essentially, the company wrote, attackers maneuver though healthcare systems' main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices.
“Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack,” wrote Carl Wright, general manager at TrapX in an email to SCMagazine.com. “That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime.”
Through various case studies, TrapX found that while many hospitals, for example, maintain solid IT departments with firewalls and other security solutions, these vulnerable medical devices are often left without patching. Generally, the security team is unable to fully view the device console or operating system, and because these machines often run for days, there's never a time to disconnect them entirely.
Plus, most defense suites don't protect the devices, and even if they did, TrapX wrote, things can get messy when unanticipated security software is added to a device. It could impact FDA approval or create additional liability for the hospital.
“Every malware infection that connects a network to an outside attack, in the United States, is a serious event and most likely would be categorized by that healthcare institution as a security event under their HIPAA operating procedures,” Wright said. “Given that patient data is at risk, the medical device manufacturer needs to indicate exactly how they will respond to mitigate the situation so that a data breach can be contained or stopped, and normal hospital operations can resume.”
Wright noted that healthcare organizations, once aware of the MEDJACK threat, need to devise a security strategy. Additionally, professionals should ask the device vendors how they support and can help mitigate these attacks. Ask if they are using digitally signed software, he said, and evaluate the devices' lifecycles to determine whether it might be time to purchase new products.
This is not a problem going away any time soon, Wright said. Nearly every time his team went into a healthcare institution, it found instances of MEDJACK, which, more often than not, was unknown to the administrative and IT teams.