The healthcare industry is a well-known information security dumpster fire, from the entire hospitals hijacked by ransomware to the useless security on medical devices to the terrifying world of shitty state security for medical implants — all made worse by the cack-handed security measures that hospital workers have to bypass to get on with saving our lives (and it's about to get worse, thanks to the Internet of Things>).
But the poor security of the medical device world doesn't just affect the devices themselves. The proliferation of literally insecurable medical systems running orphaned operating systems with thousands of know, unpatchable defects provides a soft target for identity thieves looked to pillage your health records.
One trojan, Medjack, enters healthcare facilities by penetrating these badly secured diagnostic and administrative systems and then fans out across the network, cracking patient record systems. These records are used for tax fraud and identity theft, and to steal narcotics prescriptions that can be filled from online pharmacies and then resold on the black market.
Security firm Trapx says that "every time" they visit a healthcare facility, they find Medjack infections running rampant on the network, using exploits designed to take over Windows 2000 systems to seize control of the creaking, non-upgradeable systems that are inevitably found in these facilities.
Meanwhile, Section 1201 of the DMCA and the Computer Fraud and Abuse Act still impose possible criminal sanctions — including long prison sentences — on researchers who probe, reverse-engineer, or publish warnings about these sysems.
These attacks also constantly evolve. MedJack, for instance, has adopted new, more sophisticated approaches in recent months, according to network visibility and security firm TrapX. The company used emulation technology to plant fake medical devices on hospital networks, impersonating devices like CT scanners. As hackers probed and compromised these phony targets, TrapX observed that the MedJack attackers were intentionally using old malware to target their assaults at medical devices running outdated operating systems, like Windows XP and Windows Server 2003. By attacking legacy tech, hackers can avoid detection more easily, since other parts of a network running current operating systems won't flag the activity. Those newer services are already patched against the older malware, and automatically classify it as a minor threat.
"Every time we've gone into a healthcare facility to demonstrate our product we unfortunately find that they're also a victim of this MedJack attack," says TrapX vice president of marketing Anthony James. "Most of these facilities have no clue, because no one is monitoring their healthcare devices for the presence of an attacker. No one is thinking about a CT scanner or an MRI machine and seeing a launchpad for a broader attack."
Medical Devices Are the Next Security Nightmare [Lily Hay Newman/Wired]