A patient lies in a hospital bed waiting for a medical professional to conduct a blood gas analysis. Little does the patient know that his personal information is also undergoing a procedure.
The database that stores patient data was found unencrypted, default passwords were used, and the nature of the exploit was basic, according to TrapX Security, which was called in later to recreate and diagnose the issues at the unnamed hospital.
The technology research company recently released its findings in a report called "Anatomy of an Attack – Medical Device Hijack (MEDJACK)". The security company declined to name the three hospitals it examined, except to say they were located in the Western and Northeastern U.S. “The TrapX Labs cyber exploit team was able to remotely change readings in the exploited blood gas analyzer. We could change database records at will. Blood gas analyzers are often used in intensive care. These are patients generally quite ill, so any interference with the operation of the device could have negative consequences,” said Moshe Ben-Simon, co-founder and vice president of TrapX Security, adding that they have no evidence of any cyber attacker activities that physically harmed a patient.
Since the beginning of 2016, several hospitals and healthcare institutions have fallen victim to ransomware attacks, including MedStar Health, Kansas Heart Hospital and Hollywood Presbyterian Hospital. Personally identifiable information (PII) and medical records hold a value between 10 to 20 times more than credit card data.
Cybersecurity firm Dell Secure Works notes that cyber criminals get paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach. The black market is filled with PII for sale. Cybercriminals use these records to create false identities, to obtain credit and apply for credit cards, and to file false tax returns, said Ben-Simon.
“The records also enable fraudulent access to the victim's financial accounts including bank accounts, credit card accounts and more. Medical records are the top targets for cyber attackers,” he said. From the report: “Medical devices have become the key pivot points for the attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data.”
TrapX is in the middle of an investigation into a MEDJACK attack that may impact up to ten hospitals, Ben-Simon said. Details of this will be presented at RSA next week at TrapX’s disclosure session on MEDJACK. According to TrapX’s recent research report, the number of major attacks where over 500 patient records were reported as breached rose more than 50 percent from 2015 to 2016.
“The damage varies by hospital. In almost all cases, without exception, the cyber attackers were focused on stealing patient records for resale and economic gain,” he said. The hospital explained that they had not sensed any kind of malware infection or persistent threats visible to patients. The hospital had a strong industry suite of cyber defense products, including a firewall, intrusion detection (heuristics based), endpoint security and antivirus. The healthcare IT team included a team with several experienced cyber technologists, TrapX found.
TrapX said forensic evidence showed that the attacker continued to move through the hospital’s networks looking for appropriate targets. These were all infected separately and had now enabled backdoors into the hospital networks. Moshe Ben-Simon, co-founder and vice president of TrapX Security said: "The cyber attackers were focused on stealing patient records for resale and economic gain."
It was subsequently determined that confidential hospital data was being exfiltrated to a location within Europe. Although the data breach was identified, there is still uncertainty around how many data records were exfiltrated. TrapX found Zeus and Citadel malware being used to find additional passwords within the hospital.
“In some cases we understand that the hospital is concerned about liability brought on by accidentally affecting the correct operation of the device. The effect of loading updates and/or additional software is never completely known or understood,” TrapX reported, referring to the liability and possible consequences involved in updating software on the medical devices.
Images of vulnerability
In the second healthcare institution, TrapX identified the source of this lateral movement was the picture archive and communications systems (PACS) that provided the radiology department with the storage and access to images derived from multiple sources. These image sources included CT scanners, MRI scanners, portable X-ray machines and ultrasound equipment. The PACS system is central to hospital operations and is linked to the rest of the hospital for access to vital imagery.
TrapX found the infection originated from a nurse’s workstation. Confidential hospital data was being exfiltrated to a location in Guiyang, China. An end-user in the hospital surfed on a malicious website, which redirected them to another malicious link that loaded a java exploit into that user’s browser. This allowed the attacker to run a remote command and inject malware to provide backdoor access for lateral movement.
“[These records are] the most complete and detailed profile data and hence the most valuable. Each system breached provides an opportunity for the theft of data, and potential access to additional systems on the network,” Ben-Simon said. “Attackers could cause the complete loss of data, if not backed up. Even if backed up, the cost to recreate the data files correctly in a newly restored operational healthcare medical systems is high.”
TrapX found the attacker installed a backdoor located within one of the X-ray systems in the hospital. A wrong reading of an X-ray could result in missing the delivery of required therapy, or perhaps delivering the wrong therapy. TrapX researchers found that medical devices in all three hospitals were infected by two types of sophisticated attacks: Shellcode and Pass-the-Hash techniques, both of which were designed to exploit older operating systems without current security updates.
Hospitals generally install medical devices "behind the firewall" where they are believed to be secure and protected. The internal network protection generally includes a firewall, signature-based protection such as antivirus software, other endpoint and intrusion security and more.
The security gap that makes MEDJACK effective is that most of the information technology cyber defense in the “protected network” cannot run on the medical devices. Cyber defense can only run on the servers and workstations (personal computers) around them. Once the attacker can get into the network and bypass existing security they have a time window to infect a medical device and establish a backdoor within this protected (and safe) harbor.
“MEDJACK has brought the perfect storm to major healthcare institutions globally. The health information technology team is dependent on the manufacturers to build and maintain security within the device. The medical devices themselves just do not have the requisite software to detect most of the software payloads delivered by MEDJACK attack. Finally, the standard cyber security environment set up in the hospital, regardless of how effective it might be, cannot access the internal software operations of medical devices,” said Carl Wright, executive vice president and general manager at TrapX Security.
According to TrapX, attackers leveraged the shellcode technique to exploit numerous medical devices including a Radiation Oncology system, a Trilogy Linac Gating system, a Flouroscopy Radiology system and an X-Ray machine. During the attack, malware moves within the network, injecting malicious code into a malware trap by leveraging a small module of code as a payload to exploit a software vulnerability. This complex attack then invoked a file transfer to load the appropriate file to set up additional command and control functions.
What made this attack unique was that the attacker’s sophisticated tools were camouflaged inside an out-of-date MS08-067 worm wrapper that was used for the initial distribution vector, enabling the malware to successfully move between networks. After observing a pattern, TrapX researchers concluded that the attackers intentionally packaged tools targeting older and more vulnerable Windows XP or Windows 7 operating systems devoid of adequate endpoint cyber defenses. By masking new tools in outdated worm code, the attackers were also able to dodge security alerts by the standard hospital workstations installed with up-to-date endpoint cyber defenses.
In addition, TrapX discovered a pass-the-hash technique was being used to exploit vulnerabilities in the hospital’s PACS, as well as multiple vendor computer servers and storage units. A pass-the-hash technique allows the attacker to authenticate credentials to a remote server or service using the underlying NTLM (Microsoft NT Lan Manager) hash of users' passwords instead of plaintext passwords. From there, attackers can then intercept network traffic. Researchers found that the attackers created a backdoor within the MRI system, which, in turn, attacked several of the PACS system servers.
As of March 30, 2015, the Identity Theft Resource Center (ITRC) shows healthcare breach incidents as 32.7 percent of all incidents nationwide. “Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The MEDJACK is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution,” Ben-Simon said.
While most critical patient data is protected under the federal Health Insurance and Portability and Accountability Act (HIPAA), the level of enforcement varies from state to state, notes TrapX. “This inability to enforce security policies consistently [poses] risks for healthcare institutions and strains limited security resources, thus creating an easy and vulnerable target for cyber attackers.”
Also, despite the fact that many healthcare institutions have implemented the latest operating systems, many fail to regularly update the operating system and/or default administrative passwords that come with devices. TrapX Labs recommends that hospital staff review and update their contracts with medical device suppliers. “They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyber attackers are using the devices,” said Ben-Simon.