Medical device hijack

A medical device hijack (also called MEDJACK) is an advanced cyber attack first discovered in 2015. Organized crime targets healthcare networks in order to access and steal the patient records. The weakness they target is the hospital's medical devices. This has been covered extensively in the press in 2015 and in 2016.[1][2][3][4][5][6][7][8][9][10][11]

Cyber Attack Overview The attacker places malware within the networks through a variety of methods (malware laden website, targeted email, infected USB stick, socially engineered access, etc.) and then the malware propagates within the network. Most of the time existing cyber defenses clear the attacker tools from standard serves and IT workstations (IT endpoints) but the cyber defense software cannot access the embedded processors within medical devices. Most of the embedded operating systems within medical devices are running on Microsoft Windows 7 and Windows XP. The security in these operating systems is no longer supported. So they are relatively easy targets in which to establish attacker tools. Inside of these medical devices, the cyber attacker now finds safe harbor in which to establish a backdoor (command and control). It should be noted that since medical devices are FDA certified, hospital and cyber security team personnel cannot access the internal software without perhsp incurring legal liability, impacting the operation of the device or violating the certification. Given this open access, once the medical devices are penetrated, the attacker is free to move laterally to discover targeted resources such ss patient data, which is then quietly identified and exfiltrated.

Devices Impacted Virtually any medical device can be impacted by this attack. In one of the earliest documented examples testing identified malware tools in a blood gas analyzer, magnetic resonance imaging (MRI) system, computerized tomogram (CT) scan, and xray machines. In 2016 case studies became available that showed attacker presence also in the centralized PACS imaging systems which are vital and important to hospital operations.

Institutions Impacted This attack primarily centers on the largest 6,000 hospitals on a global basis. Healthcare data has highest value of any stolen identity data, and given the weakness in the security infrastructure within the hospitals, this creates an accessible and highly valuable target for cyber thieves. Besides hospitals, this can impact large physician practices such as accountable care organizations (ACOs) and Independent Physician Associations (IPAs), skilled nursing facilities (SNFs) both for acute care and long term are, surgical centers and diagnostic laboratories.

Scope Various assessments have determined that medjack currently impacts over half of the hospitals worldwide and remains undetected in the bulk of them.

Detection and Remediation These attacks are very hard to detect and even harder to remediate. Deception technology (the evolution and automation of honeypot or honeygrid networks) can trap or lure the attackers as they move laterally within the networks. The medical devices typically must have all of their software reloaded by the manufacturer. The hospital security staff is not equipped nor able to access the internals of these FDA approved devices. They can become reinfected very quickly as it only takes one medical device to potentially re-infect the rest in the hospital.

References

This article is issued from Wikipedia - version of the 11/2/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.