‘MEDJACK’ tactic allows cyber criminals to enter healthcare networks undetected

Posted on

This year has already been marked by data breaches at multiple major healthcare organizations, including CareFirst BlueCross BlueShield and Anthem. While these providers have pointed to various causes and attacks as the source of their compromises, not yet has it become prominent news that medical organizations’ devices might be the true culprit behind many already and soon-to-be-discovered breaches.

A report from TrapX found that a majority of organizations are vulnerable, if not already victim to MEDJACK, or “medical device hijack.” Essentially, the company wrote, attackers maneuver though healthcare systems’ main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices.

TrapX published a report on "medical device hijack," or MEDJACK, which allows attackers to build backdoors into healthcare providers' networks
TrapX published a report on “medical device hijack,” or MEDJACK, which allows attackers to build backdoors into healthcare providers’ networks

“Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack,” wrote Carl Wright, general manager at TrapX in an email to SCMagazine.com. “That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime.”

Through various case studies, TrapX found that while many hospitals, for example, maintain solid IT departments with firewalls and other security solutions, these vulnerable medical devices are often left without patching. Generally, the security team is unable to fully view the device console or operating system, and because these machines often run for days, there’s never a time to disconnect them entirely.

Plus, most defense suites don’t protect the devices, and even if they did, TrapX wrote, things can get messy when unanticipated security software is added to a device. It could impact FDA approval or create additional liability for the hospital.

“Every malware infection that connects a network to an outside attack, in the United States, is a serious event and most likely would be categorized by that healthcare institution as a security event under their HIPAA operating procedures,” Wright said. “Given that patient data is at risk, the medical device manufacturer needs to indicate exactly how they will respond to mitigate the situation so that a data breach can be contained or stopped, and normal hospital operations can resume.”

Wright noted that healthcare organizations, once aware of the MEDJACK threat, need to devise a security strategy. Additionally, professionals should ask the device vendors how they support and can help mitigate these attacks. Ask if they are using digitally signed software, he said, and evaluate the devices’ lifecycles to determine whether it might be time to purchase new products.

This is not a problem going away any time soon, Wright said. Nearly every time his team went into ahealthcare institution, it found instances of MEDJACK, which, more often than not, was unknown to the administrative and IT teams.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s