As if visiting the hospital wasn't scary enough already, now patients have to worry about cybercriminals compromising medical devices. According to cybersecurity company TrapX, hackers are now infecting gadgets throughout hospitals with harmful malware in order to break into hospital networks and steal patient information.
While installing its technology in three hospitals, TrapX detected intrusions on blood gas analyzers, a picture archive and communications system and an X-ray system. The gadgets contained malware designed to infect the wider hospital network.
Ransomware, as well as Zeus, Citadel, and even Conficker, malware were discovered on the devices. While none of these real-world hacks of the medical devices appeared to be used for sabotage per se, TrapX says the malware on them indeed could be used for remote control of the devices.
The malware found on the devices included those designed to spread the virus across the hospital network, steal passwords and swipe patient information. But this is not the first serious security flaw discovered in critical hospital equipment. Earlier I wrote about a drug pump that could allow anyone access to the hospital's entire network.
The hospitals affected by these attacks actually had strong cybersecurity protections in place. But, their staff and security scans were still unable to detect the malware, because many of these devices are separated from the rest of the network with manufacturer firewalls.
"They're not open to security teams to scan or to use typical security products on," [Greg Enriquez, CEO of TrapX] says. "That's the challenge hospital professionals have in security: often these devices are behind secondary firewalls managed by the manufacturer of the device, and the security team doesn't have access."
Also, many medical devices run on Windows-based systems, so they're vulnerable to attacks designed for the Windows operating system.
In order to protect patients, hospitals and manufacturers must put a system in place to regularly monitor medical devices to catch malware before it has the chance to infiltrate the hospital network or take over a gadget. TrapX will issue a report later this month detailing the attacks and what can be done to stop them.
"They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by the malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyber attackers are using the devices," says Mosh Ben Simon, co-founder and vice president of TrapX Security and general manager of TrapX Labs, in the report.