A shocking new report was published on Monday showing just how compromised America’s healthcare technology has become. After recent incidents involving Chinese hackers stealing patient information, security firm TrapX decided to look a little closer, specifically examining the actual medical devices used by hospitals on patients.
A report released by the firm claims that attackers are actively using unprotected medical devices such as radiologic (x-ray) systems, to maintain a foothold on healthcare networks. These machines receive less scrutiny from anti-virus software and IT departments, making them ideal staging areas for sophisticated attacks.
The report is based on actual details from TrapX customer engagements and lab research the firm did on commonly used models of medical devices. According to the report, medical devices, in particular picture archive and communications systems (PACS) radiologic imaging systems, are basically invisible to security monitoring systems which makes them an ideal platform for malware infections. The researchers found that hacker use the un-monitored machines to launch attacks on other, high value IT assets within the hospital, such as customer record keeping systems.
Among the specific examples mentioned in the report were:
A malware infection at a TrapX customer site spread from a unmonitored PACS system to a key nurse’s workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China.
A healthcare institution was found to have the Zeus and Citadel malware operating from infected blood gas analyzers in the hospital’s laboratory, which were infected and provided a “backdoor” into the hospital’s network and were being used to harvest credentials from other systems on the network.
“The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets,” the report concluded.
The researchers found that medicals systems that contacted patients were most vulnerable because they are in virtually every hospital department, almost never get software updates due to being in use and run old operating systems like Windows 2000 which are not longer supported for security updates.
Based upon our experience and understanding, our scientists believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years. We expect additional data to support these assertions over time.” the company said.
The report is among the first of its kind to document medical systems being infected with malware. Many such systems have been demonstrated by researchers to be vulnerable but very few have actively been discovered in the wild.
It remains to be seen whether these systems are particularly being targeted or are becoming infected randomly due to be older and vulnerable.
TrapX will release its full report later this week.