Hacked medical devices can pose direct dangers to patients but also serve as lairs from which malware finds its way into medical facilities\u2019 networks and persists even after initial attacks have been cleaned up, according to a new report.Because these devices haven\u2019t been designed with security as a priority, they have proven readily hackable. Beyond the immediate risk to patients, compromised connected devices can be used as a way to undermine other devices and steal valuable data, according to a report from TrapX.The problem is compounded by Food and Drug Administration (FDA) restrictions that limit adding security to these devices, uncertain cooperation from vendors who make them and the attractiveness of medical information as a target, the report says.Once compromised, these devices can be used to launch broader attacks against host networks. Because it may be difficult to detect malware on these devices, the malware can survive efforts to clean up the broader attacks. Then the hacked device can serve as a backdoor to launch further incursions. \u201cThe whole idea is to maintain persistence in the target environment,\u201d says Greg Enriquez, CEO of TrapX.Finding this malware and cleaning it up is made difficult by FDA rules that require these systems to be closed. \u201cAs FDA certified systems, they are not open for the installation of additional third-party software by the hospital staff,\u201d according to the TrapX report, so monitoring software can\u2019t be added. \u201cYou cannot easily detect malware on a system which you cannot scan.\u201dThe devices investigated by TrapX were critical to delivering healthcare, making it difficult to schedule time for remediation. \u201cThe outgoing IP addresses can be shut down, but removal of the malware is a tricky proposition,\u201d the report says. \u201cHospitals really don\u2019t want to impact the operation of these systems \u2013 they depend on these medical devices on a 24 hour, 7 day per week basis.\u201dThe very presence of these devices in networks may make the networks less secure, and attackers are drawn to these networks by the medical information they contain. \u201cFor all of these reasons we expect targeted attacks on hospitals to increase throughout 2015 and 2016,\u201d the report says.The TrapX report details three medical-device hacks at facilities it does not name for reasons of confidentiality. One involved blood-gas analyzers in a lab being used as a backdoor into the network. A second details the compromise of picture archive and communications system (PACS) that stores radiology images and makes them available to doctors and so is very well connected within the network. The third involved a backdoor installed in an X-ray system.The FDA is aware of these issues with medical devices and has said it will waive restrictions on some types of medical devices. In particular, as of February 2015 it is loosening up on regulations for medical device data systems (MDDS) such as the PACS described in the TrapX report.The FDA didn\u2019t do away with the regulations, it just stated that it won\u2019t enforce them, which means that from a network security standpoint, hospitals have more freedom to alter them in order to better secure them as network-attached devices. Even if those alterations adversely affect their functioning, the danger to patients is low, according to the FDA reasoning.As part of its investigation, TrapX showed how it could compromise a particular blood-gas analyzer and use it to pivot to other devices on the target network. The NOVA Critical Care Express was the device, which used Windows 2000 as its operating system.Enriquez says that he hasn\u2019t seen it in practice, but ransomware criminals targeting common operating systems could go after medical devices that use them, encrypting them and demanding payment for keys to unlock them.