Since the beginning of 2016, several hospitals and healthcare institutions, including MedStar Health, Kansas Heart Hospital and Hollywood Presbyterian Hospital, have fallen victim to ransomware attacks. Healthcare data is becoming exponentially more valuable on the black market, and has become an increasingly lucrative target for hackers. According to Ponemon Institute’s 2015 Cost of a Data Breach Study, personally identifiable information and medical records holds a value between 10 to 20 times more than credit card data. This is, in part, because medical record data allow cyber criminals to reconstruct a person’s entire identity.
Existing Vulnerabilities in the Healthcare Industry
The healthcare industry is one of the largest individual markets in the United States, with annual expenditures that comprise approximately 17.5 percent of the country’s gross domestic product. The greater majority of medical facilities are connected electronically, often sharing common electronic medical records/electronic health systems (EMR/EHR). While most critical patient data is protected under the Health Insurance and Portability and Accountability Act (HIPAA), which provides a basic security and privacy framework for protecting personal health information, the level of enforcement varies from state to state. This inability to enforce security policies consistently puts healthcare institutions at risk and strains already limited security resources, thus creating an easy and vulnerable target for cyber attackers.
Also, despite the fact that many healthcare institutions have implemented the latest operating systems of their main user devices and services in the network, many fail to ensure that medical devices have the most up-to-date operating system and/or they fail to change the default settings that come with these devices. These minor maintenance lapses leave the door wide open for attackers to exploit these existing vulnerabilities and security gaps.
In our latest report, Anatomy of Attack: Medical Device Hijack 2 (MEDJACK 2), researchers leveraged deception technology and found medical devices in three hospitals were infected by attackers. Further analysis indicated that attackers leveraged at least one of two types of sophisticated attacks: Shellcode and Pass-the-Hash techniques. Both techniques were designed to exploit older operating systems.
Cyber Attacks via the Shellcode Technique
According to the researchers, attackers leveraged the shellcode technique to exploit numerous medical devices including a Radiation Oncology system, a Respiratory Position Management System, a Flouroscopy Radiology system and an X-Ray machine. They found that malware was discovered moving laterally within the network. By utilizing Deception technology, some healthcare institutions were able to identify the attack, which would have otherwise gone undetected. Upon finding what was thought to be a vulnerable target, but was in fact a deception trap, the malware injected malicious code. This set an alert in motion allowing administrators to identify the attack and understand the attacker’s tactics. The discovered attack utilized shellcode execution leveraging a small module of code as a payload to exploit a software vulnerability. In these instances, the trap allowed the malware to proceed in order to analyze the attack, however, the device was not vulnerable. This complex attack then invoked a file transfer to load the necessary file to set up additional command and control functions.
What made this attack unique was that the attacker’s sophisticated tools were camouflaged inside an out-of-date MS08-067 worm wrapper, enabling the attack to successfully move between networks. After observing a pattern, researchers concluded that the attackers intentionally packaged tools targeting older and more vulnerable Windows XP or Windows 7 operating systems devoid of adequate endpoint cyber defenses. By masking new tools in outdated worm code, the attackers were also able to evade security alerts by the standard hospital workstations installed with up-to-date endpoint cyber defenses since the newer operating systems simply “ignored” the attack.
Cyber Attack via the Pass-the-Hash Technique
Additionally, we discovered the pass-the-hash technique attempting to exploit vulnerabilities in the hospitals’ picture archive and communication systems (PACS), as well as multiple vendor computer servers and storage units. A pass-the-hash technique allows the attacker to authenticate credentials to a remote server or service using the underlying NTLM (Microsoft NT Lan Manager) hash of a user’s password instead of the commonly required plaintext passwords. From there, attackers can then intercept the NTLM from network traffic, either at the user or sometimes at an administrator level. While the PACS systems did not fall victim to the attack, the traps allowed the attack to complete in order to provide valuable analytical insight on the attacks.
Researchers also found that the attackers created a backdoor within the MRI system which, in turn, attempted to attack several of the PACS system servers. Similar to shellcode, the attackers in this instance used the malware to move laterally within the PACS network and injected malicious code into the trap. What’s more, attackers also used the shellcode technique to bypass security mechanisms in patched operating systems.
Developing a Stronger Security Posture
In all of the hospital use cases outlined in the report, we found that the attack was moving laterally throughout the network in an attempt to identify vulnerabilities ideal for exploitation. Medical devices were the most vulnerable components of the network, in part, because they cannot be secured or maintained by the hospital’s own security team. In many cases, FDA regulation mandates that the security and implementation of hospital medical devices are the sole responsibility of the device vendors. However, once a hospital purchases and implements a device, vendors often don’t provide security updates and patches to existing operating system vulnerabilities, causing medical devices to become the weakest link of a healthcare institution from a security standpoint.
To better secure medical devices attached to a network, there are many things security staff can do. Some recommendations include:
- Isolate all medical devices inside a secure network zone and protect this zone with an internal firewall that will only allow access to specific services and IP addresses. If possible and practical, totally isolate medical devices inside a network that is not connected to the external Internet.
- Implement a strategy to review and remediate existing medical devices now. Many of these are likely infected and creating risk for the institution and patients.
- Implement a strategy to rapidly integrate and deploy software and hardware fixes provided by the manufacturer to your medical devices. These need to be tracked and monitored by senior management and quality assurance teams.
- Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cybersecurity processes and protections. And conduct quarterly reviews with all of medical device manufacturers.
- Implement a strategy for medical device end-of-life. Many medical devices have been in service for many years often against a long depreciated lifecycle. Retire these devices as soon as possible if they exhibit older architectures and have no viable strategy for dealing with advanced malware such as MEDJACK. Then acquire new devices with the necessary protections from manufacturers that can comply with your requirements.
By implementing these simple steps, hospitals can greatly curtail the spread of malware through medical devices and block attackers from accessing valuable hospital and patient data.
About the Author: Greg Enriquez is CEO of TrapX, a leader in deception technology. Prior to joining TrapX, Enriquez served as vice president of sales at FireEye, where he led the worldwide sales team for the company’s advanced technologies division. Enriquez earned a Bachelor’s Degree in business administration from the University of Southern California (USC).
