HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medical Devices Being Targeted to Gain Access to Networks

According to a white paper issued by TrapX Labs, medical devices are being targeted by hackers who are using the equipment as backdoors to gain access to healthcare computer networks. The report cited three examples of medical device hacking where hackers had gained access to medical equipment and bypassed the complex data security systems installed by healthcare providers.

Healthcare data security systems may be highly effective at detecting network intrusions and repelling brute force attacks, but the protection does not extend to all medical devices. Major security vulnerabilities exist that are not being addressed.

Many healthcare providers believe their electronic equipment to be secure, as protections are in place to prevent access. However, according to the report, security systems are not effective at protecting medical devices. Criminals are gaining access, yet hospital IT staff are unable to scan the equipment without assistance from the manufacturer. If an intrusion is detected, the manufacturer or contractor must be contacted to access the devices and perform tests. This can take time.

According to the report, “It could take weeks to handle these security incidents because of both scheduling and access to the manufacturer’s resources. Once the malware was removed, we found the medical devices could be re-infected fairly quickly.”

Please see the HIPAA Journal Privacy Policy

The report provides three examples of attacks on medical devices at hospitals, two of which demonstrated that in spite of robust security defenses, hackers were still able to access devices. TrapX started monitoring medical devices and it fast became apparent that the equipment was anything but secure.

The first example shows that even with a “Strong industry suite of cyber defense products” a successful attack can still take place. The device in question was a blood gas analyzer; not a device typically associated with data breaches and cybersecurity attacks. Protections “included a strong firewall, intrusion detection (heuristics based), endpoint security and antivirus and more.”

The company rapidly detected a persistent intrusion, with the hacker using the device to move around the system looking for targets. Further investigation revealed that three gas analyzers had been compromised, with each possessing a back door that allowed access to the network. Access was possible as the devices were running outdated software which had security flaws that could easily be exploited.

TrapX determined that all three BGAs had been infected with Citadel, Zeus and COTS malware, and all data stored on the BGA was accessible “in clear text”; however whether the attackers were interested in BGA data is unknown. It is suspected that the BGA itself was only a stepping stone, allowing the hacker to gain access to a much more valuable resource: the healthcare provider’s computer systems. It is not known what data, if any, was accessed by the hackers, nor how many individuals have potentially been affected.

According to the report, “The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets. It is the ideal environment upon which to launch persistent attacks with the end goal of accessing high value data. This exposure is not easily remediated, even when the presence of malware is identified conclusively,”

Picture Archive and Communication System (PACS) Compromised


The second example provided shows the problems that healthcare providers can have keeping all equipment secure. In this case, the Picture Archive and Communications System (PACS) had been compromised. A PACS is invaluable, allowing doctors and care teams to access a wide range of medical imaging data from multiple sources – such as MRIs, CT scans, digital X-rays and ultrasound scans. The data can be pulled up by anyone with an access code.

Hackers were able to gain access to this system as a result of a member of the hospital staff had inadvertently downloaded malware onto a computer by visiting an infected web page.

When the malware was detected by the healthcare provider, the system was cleaned. All traces of the malware were removed from the desktop and network; or so the healthcare provider believed. The PACS system was not disinfected, and the malware remained allowing hackers to continue to access the system until TrapX discovered the intrusion. In this case, the hospital’s security software was unable to effectively scan the PACS system.

It is not known how much data was obtained by hackers, but TrapX did determine that the PACS infection allowed hackers to gain access to a workstation used to store Protected Health Information. The data was copied by the hacker and was transmitted (via Port 443) to a location in China.

Medical Device Access is a Widespread Problem

TrapX researchers determined that far from being isolated incidents, these attacks and intrusions are commonplace. The researchers say that they “believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years. We expect additional data to support these assertions over time.”

The report concludes: “The primary reason for this problem is centered on the fact that medical devices are closed systems. As FDA certified systems, they not open for the installation of additional 3rd party software by the hospital staff.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.