NetEvents

Medical CT Scanners, X-Ray Machines, and MRI Machines, Are Under Attack

By Alan Zeichick and Mark Fox

The healthcare industry is vulnerable to cyberattacks – arguably more vulnerable than most industries. The technology is constantly changing, and so are the regulations regarding certifying that technology. Devices are hard to configure, and hard to secure, and medical equipment often isn’t under the tight control of a facility’s IT department (other than supplying a network connection). And the prize for breaching a hospital or other medical practice? Lots of personal data worth big money on the Dark Web.

It doesn’t help that there are security flaws in some devices. Take, for example, computed tomography (CT) scanners. One maker, Philips, disclosed on May 1, 2018, that four of its CT scanners had what it described as a low-risk security vulnerability:

Philips has confirmed that the potential security vulnerability, if successfully exploited, may allow an attacker to gain unauthorized access to elevated privileges and/or restricted system resources and information. This vulnerability is not exploitable remotely and cannot be exploited without user interaction, and an attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.

That’s somewhat worrisome – not a crisis, but not good. How about electroencephalogram (EEG) equipment from Natus Medical Inc.? Talos Intelligence, a division of Cisco, announced on April 4 that it “Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.”

The good news is that white-hat researchers found the vulnerability before black-hat hackers. The problem has been patched – and now the challenge is to get device operators to install that patch:

In accordance with our coordinated disclosure policy, Talos has worked with Natus to ensure that these issues have been resolved and that a firmware update is made available for affected customers. Several of these vulnerabilities could allow a remote attacker to execute arbitrary code on affected devices. Given the role these devices play and the environments in which they are typically deployed, it is highly recommended that they be evaluated and addressed by organizations as quickly as possible. Natus has released Neuroworks 8.5 GMA2 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.

How about x-ray and MRI machines? Yes, they are targeted too. On April 28, Symantec said that it has learned about a type of malware called Orangeworm,:

According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry. The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures.

It gets worse from there. The malware gathers data about breached devices, and then uses that info “to determine whether the system is used by a researcher or if the victim is a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.”

Hospital are Particularly Vulnerable

Ransomware attacks seem to hit hospitals and other large medical practices pretty hard, and rather frequently.

Perhaps it’s sloppy IT practices, or insufficient spending on anti-malware products.

Perhaps it’s because people with access to hospital networks, like doctors, often are independent contractors or work for multiple organizations, and thus aren’t using hospital-provided laptops and don’t have good training about handling phishing and weblinks.

Perhaps it’s because hospitals are rich targets, and thus are attracting lots of attention from hackers.

Perhaps it’s because this information is going public at a higher rate than, say, traditional business breaches.

Or perhaps it’s because medical workers are unhappy or greedy. The 2018 Verizon Data Breach Investigations Report showed that healthcare has more internal actors behind breaches than external – 56% percent of actors are insiders:

The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset, but you might not want to ponder that when you go in to get that appendix removed.

Errors most often appear in the form of misdelivery (62%)— which is the sending of something intended for one person to a different recipient—and is followed by a grouping of misplacing assets, misconfigurations, publishing errors and disposal errors.

Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.

Scary stuff, given that hacks to hospitals and medical equipment are matters of life and death. Who knows what physiological damage a hacked CT scanner or x-ray machine might do to a patient? It doesn’t bear thinking about – but we must think about it. And do something about it, too.