In-brief: serious breaches of hospital networks are almost certainly more common than has been reported, as compromised medical devices often hide the telltale signs of malware infection and data theft, according to a report from the security firm TrapX.
A report from the security firm TrapX. claims that attackers are using unprotected medical devices, including radiologic systems, to maintain a foothold on healthcare networks, avoiding detection by security software and IT staff.
The report, which will be released this week, combines details from TrapX customer engagements with health care firms and company-sponsored analysis of common medical devices, including the Nova Critical Care Express (CCX), a blood gas analyzer. According to the report, medical devices – in particular so-called picture archive and communications systems (PACS) radiologic imaging systems – are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets.
Among the revelations contained in the report:
- A malware infection at a TrapX customer site spread from a unmonitored PACS system to a key nurse’s workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL) and were not detected by existing cyber defense
software, so TrapX said it is unsure how many records may have been stolen. - A healthcare institution at which installed its technology was found to have the Zeus and Citadel malware operating from infected blood gas analyzers in the hospital’s laboratory, which were infected and provided a “backdoor” into the hospital’s network and were being used to harvest credentials from other systems on the network.
“The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets,” the report concludes.
Radiologic and medical imaging systems such as the PACS were particularly useful because they are heavily used and critical to the operation of almost every department. Of the three systems that TrapX found infected at customer sites, one was a PACS, the second was a medical x-ray scanner and the third was a collection of blood gas analyzers in a healthcare institution’s laboratory
department used by critical care and emergency services.
To help validate its findings, TrapX acquired and tested a NOVA CCX blood gas analyzer of the type it encountered in the customer environments. As with the deployed devices, TrapX chose the version of the CCX for Windows 2000, which was the model used in customer settings. And, in fact, Windows 2000 is the choice for “many medical devices.” The version that TrapX obtained “did not seem to have been updated or patched in a long time,” the company writes.
“Based upon our experience and understanding of MEDJACK, our scientists believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years. We expect additional data to support these assertions over time.” — TrapX Security
The TrapX team analyzed the CCX device, using an attack scenario based on what the company had observed in customer settings. Namely: malware infection and lateral movement by human attackers and automated malware.
[Read more Security Ledger coverage of medical device security here.]
No surprise: the device proved an easy target. TrapX’s team was able to use an exploit for a known weakness in the Windows 2000 operating system to establish what TrapX refers to as a “pivot” – or point of control- on their test network from which they could attack other systems. After creating a backdoor into the device, TrapX researchers added a new user to the system and decrypted the local user password. The company was then able to extract the database files that would contain medical information.
TrapX said the problem of insecurity with these devices is manifold. For one: there are no true “security products” designed to run on medical devices. Beyond that, hospitals may worry that software updates to these systems may jeopardize their FDA certifications – a belief that TrapX and others have noted is false.
The research is just the latest to raise serious concerns about the safety of software running critical medical devices and management systems within hospitals and other clinical settings. In May, for example, independent researcher Jeremy Richards wrote a detailed analysis of the Hospira LifeCare PCA 3 drug infusion pump, calling it the “least secure IP enabled device” he had ever worked with.
Among other things, Richards noted that the device was listening on Telnet port 23. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump. “The only thing I needed to get in was an interest in the pump,” he said.
The TrapX research echoes some of Richards’ findings. In addition to running on unpatched Windows 2000 systems, the NOVA CCX devices use default SQL database administrator (DBA) permissions to protect access to the device’s back-end database, which holds patient data. Additionally, the device backed up its database to the local drive of the Windows system it was connected to – providing a wealth of data to anyone who compromised that system.
TrapX said the implications of its research were dispiriting. Simply put: the presence of medical devices on healthcare networks may make them more vulnerable to attack, especially now that sophisticated actors have set their sites on healthcare data. Echoing a statement that has now become a mantra in the information security field, the TrapX reports suggests that the healthcare field is divided into hospitals that have been hacked and those that haven’t yet discovered that they’ve been hacked.
“Based upon our experience and understanding of MEDJACK, our scientists believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years. We expect additional data to support these assertions over time,” the report reads.