If you’re sick and sitting in a drab hospital room hooked-up to a dialysis pump, the last thing you want to worry about is hackers. But according to IT healthcare security experts, there is a chance that life-saving dialysis machine is infected with malware, could even be processing fraudulent credit card transactions, or is part of a DDoS attack as it cleans your blood.
Hospitals are prime targets for hackers who see internet-connected healthcare equipment as low-hanging fruit when it comes to making a quick buck by stealing medical records, nefariously sucking up computer resources or perpetrating a ransomware attack, said Yong-Gon Chon, CEO of Cyber Risk Management
“This equipment saves lives and can’t be taken offline like a laptop that goes back to IT for a week to be wiped and re-imaged,” Chon said. Hospitals are getting hammered by hackers targeting IoT devices. He said modern hospital security systems too often overlook IoT devices when it comes to security, making them an easy target.
Late last month, TrapX Labs’ security team spotted an uptick in the prevalence of a new more virulent strain of malware targeting hospitals and their IoT equipment. Researchers discovered attackers targeting unpatched medical equipment running Windows XP and Windows 7 with variations of attacks such as the Conficker worm, long thought obsolete. The malware, TrapX said, now has an enhanced ability to laterally move within a network and target specific types of medical devices that have a strong likelihood of connecting to backend medical record systems.
Source: TrapX Research Labs, MEDJACK.2 Hospitals Under Siege
“A foothold on unprotected radiology equipment is a springboard to the hospital’s central servers,” said Moshe Ben-Simon, co-founder of TrapX Labs. Medical equipment in the majority of hospitals today, he said, were not designed with security as a priority. “They are purpose built to save lives, not beat back cyber-attacks. And once IoT devices are deployed, there is no simple way to add security after the fact.”
If things sound bleak when it comes protecting hospital IoT devices, it gets worse. In a recent study by major universities of hospitals, researchers found doctors, nurses and hospital IT staff earned failing grades when it comes to adhering to basic cyber security practices straining already disadvantaged hospital security defenses.
The report found doctors reluctant to break old workflow routines and adopt even the most basic network security practices such as two-factor authentication or basic password etiquette. “We find users write down passwords everywhere. Sticky notes (with usernames and passwords) form sticky stalagmites on medical devices and in medication preparation rooms,” according to the report.
Medical Records A Prized Target
It’s those conditions that nurture hospital medical record theft nightmares. In 2015 alone, more than 113 million medical records were hacked, according to U.S. Department of Health and Human Services data. Last year’s statistics aren’t an anomaly.
A report from last month claimed a hacker was selling upwards of 655,000 healthcare records on the dark web. That figure ballooned the following week, with hackers claiming that an even larger database of 9.3 million patient records from a health insurance provider, was making the rounds online. The month prior, Florida-based cancer treatment center 21st Century Oncology Holdings warned 2.2 million patients that health data and Social Security numbers were stolen from its computer network.
So why are hackers turning their attention to medical records versus credit card data? For starters, because hospitals have fewer security protections, the data is easier to steal. But more compelling for crooks is medical record data – that contains name, birthdate, Social Security number and medical information – is worth more than stolen credit card data.
On the dark web medical records fetch $20 to $40 per record versus about $5 for one financial profile, according to TrapX. Medical records are used in a variety of different scams ranging from traditional financial identity theft to false billing for surgery, treatment or prescription. TrapX says it’s working with medical fraud prevention firms who combat stolen medical records used with insurance co-pays to buy expensive drugs that are later resold on the black market.