Hackers are targeting medical devices in hospitals, not for the data in the devices but to establish a back door that provides access to an organization’s entire information network.

Medical devices such as radiation oncology and fluoroscopy radiology systems, PACS systems and X-ray machines are attractive malware vehicles because they typically have been in use for many years and run older versions of Windows operating systems that have not been adequately updated, says Anthony James, chief marketing officer at TrapX.

Anthony James
Anthony James

A radiology system may be running new versions of Windows, but those old malware-invested versions are still in the device, James says. An especially dangerous twist is that attackers are using old malware variants, such as the MS08-067 worm which has threat signatures that are well known.

New versions of Windows ignore the old variants because the new versions are not vulnerable to the old variants, so the malware remains in place and undetected because the security system does not trigger an alarm, according to James of TrapX, which develops real-time breach detection and prevention technology that uses a shadow information network to accept and eradicate malware while keeping the real network secure.

After attackers have established a presence on a medical device, they can roam through the entire network looking for electronic health records and other protected health information. Earlier versions of malware found one network and stayed on it, but new versions hunt for more networks.

“The sophistication of attackers has increased tremendously,” James cautions. “Before, they were just getting whatever they found and now they are hunting.”

In a recent report on this vulnerability, TrapX offers a number of recommendations including:

  • Implement a strategy for medical device end-of-life. Retire devices as soon as possible if they have older architectures and no viable strategy for dealing with advanced malware.
  • Update existing medical device vendor contracts for support and maintenance, and specifically address malware remediation. This may raise operating budgets, but the additional expense is necessary and prudent.
  • Manage access to medical devices, especially through USB ports. Do not permit any medical device to provide USB ports for staff use without additional protections.
  • Consider one-way use of memory sticks to preserve the “air gap,” which keeps a machine isolated as it’s connected to a network. This will prevent a medical device from infecting other devices.
  • Favor medical device vendors using technologies such as digitally signed software, and encrypt all internal data with passwords that can be modified and reset.
  • Have information security staff test and evaluate vendors independent of an acquiring department, and allow the staff to object to procurement of a device that is not adequately protected.
  • Use deception technology designed to identify malware and persistent attack vendors that have bypassed privacy defenses.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access