Attackers targeting medical devices to bypass hospital security

A preview copy of a report from TrapX Labs, which will be released later this month, highlights three successful attacks against healthcare organizations.

The incidents prove that defending assets in a healthcare environment isn’t as easy as some would have you think. In fact, given the wide range of devices on a given network, it can be nearly impossible.

Last year, Community Health Systems had an incident that resulted in the compromise of 4.5 million records. It served as a reminder that medical information was an important commodity to criminals.

In March of this year, the Identity Theft Resource Center (ITRC) tagged healthcare as the source of 33-percent of all listed incidents nationwide, noting that nearly 100 million healthcare records were compromised in the U.S. alone in Q1 2015.

And yet, within a given healthcare environment, most devices can’t leverage traditional security solutions.

A hospital, for example, can’t install their local security suites or various offerings on these devices, as they’re managed by the manufacturer or contracted party. Because of this, TrapX says in their report, problem resolution was delayed in at least one case due to the fact that the hospital’s IT staff couldn’t access the equipment.

“It could take weeks to handle these security incidents because of both scheduling and access to the manufacturer’s resources. Once the malware was removed, we found the medical devices could be re-infected fairly quickly,” the report explains.

Most medical devices are placed behind a firewall and believed to be secure, as the organization has all the standards (AV, IDS, Firewall, etc.) in place. The devices are treated as black boxes by IT, and are generally not accessible to them at all. And again, if a problem is suspected, IT needs to get the manufacturer’s support in order to address it.

The TrapX report singles out two examples of where existing security measures failed to protect the healthcare organization in question; and in each case the protective measures being used by the hospital were either too late or missed the attack completely.

Blood Gas Analyzer

The first example focuses on a hospital that, by all accounts, didn’t have any problems on the network. According to the report, the hospital had a “strong industry suite of cyber defense products. This included a strong firewall, intrusion detection (heuristics based), endpoint security and antivirus and more.”

Yet, shortly after monitoring began, TrapX detected signs of a persistent attack on their network. Forensics determined that the attacker was moving around and looking for targets, but the origin of the attack is where the story gets interesting.

As it turns out, the attacker had compromised three different Blood Gas Analyzers (BGA) in the hospital’s lab.

They were all infected separately with backdoors that allowed the attacker to enter and pivot through to the network. Each unit was several years old, and ran on an older version of Windows.

Testing by TrapX showed that an infected device would expose all of its data in clear text, but it’s unknown if the attackers paid any attention to that flaw. Instead, it’s likely they used the BGA as a launching point.

Malware from the Zeus and Citadel families were discovered, as well as COTS malware that was repackaged to avoid signature detection. Although the investigation concluded that data was being exfiltrated to a location within Europe, the number of records compromised remains unknown.

“The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets. It is the ideal environment upon which to launch persistent attacks with the end goal of accessing high value data. This exposure is not easily remediated, even when the presence of malware is identified conclusively,” the report said.

Radiology

The second example involves a picture archive and communications system (PACS) in the radiology department of a different healthcare organization. The hospital had the same defenses as the previous example. However, as was the case before, while things looked clean, TrapX discovered differently once they began monitoring.

The PACS was being used as the access point to the network while the attacker was hunting for other targets. A PACS offers the radiology department storage and access to images originating from multiple sources, such as CT scanners, MRI scanners, X-RAY, and ultrasound equipment. Essential for hospital operations, the PACS makes a perfect pivot point for a persistent attacker.

In this case, the PACS infection was the byproduct of the original attack, which happened as a user visited a malicious website – i.e. a drive-by-download. In this case, the hospital’s defenses discovered and removed the original malware, but not before the PACS was infected.

Also, none of the defense mechanisms were able to scan the PACS properly, and that lack of visibility helped prolong the incident and gave the attackers a place to hide.

During the investigation into this incident, it was discovered that a key nurse’s workstation was infected. Confidential records were being exfiltrated over port 443 to a location within Guiyang, China. But it’s uncertain how many records in total were successfully exfiltrated before the attack was stopped.

Concluding their report, TrapX says they “believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years. We expect additional data to support these assertions over time.”

The problem is that visibility is almost impossible, and without that, the defenses that hospitals use are weakened, if not outright ineffective.

“You cannot easily detect malware on a system which you cannot scan. The primary reason for this problem is centered on the fact that medical devices are closed systems. As FDA certified systems, they not open for the installation of additional 3rd party software by the hospital staff,” the report says.

“Finally, even when sophisticated attacks are detected it is still very difficult to remove the malware and blunt the attack without the full cooperation of the medical device manufacturer. The outgoing IP addresses can be shut down, but removal of the malware is a tricky proposition.”

As mentioned, full report – including a recreated attack on a NOVA Critical Care Express (CCX) device – will be published later this month.