The Risks of Medical Device 'Hijacking'Expert Describes How to Defend Against Device Attacks
Hackers are using medical devices as gateways to launch targeted attacks at hospitals, but there are steps that healthcare organizations can take to protect their environments from these assaults, says Greg Enriquez, CEO of TrapX.
A new report released by TrapX Security Labs, an independent research division of security solutions and services firm TrapX, spotlights three recent real-world examples of how networked medical devices were recently "hijacked" - or "medjacked" - to exfiltrate data out of the hospitals.
In those cases, the medical devices, including X-ray equipment, picture archive and communication systems (PACS), and blood gas analyzers, were infected with either "common" or targeted malware. They were then used as gateways into other hospital information systems, Enriquez says.
While the attackers in those examples did not appear to alter or damage the medical devices with the intention to cause patient harm, the medjackings were designed to establish command and control of the devices, and then use them to exfiltrate data from across the healthcare organizations, to places including Europe and China, he says.
Additionally, "if they wanted, these attackers could control these devices from outside the organization," and cause potential safety risks to patients, he warns.
"Any device that's using a back-level operating system and is connected to the Internet is vulnerable," Enriquez explains. "If they are not patched or monitored like other systems, they can be as vulnerable, or even more vulnerable, than other administrative systems in a hospital."
For instance, medical devices that use operating systems such as Windows, including XP - which is no longer supported by Microsoft - as well as Linux, are "fairly common," he says.
In light of this, Enriquez says it's important for healthcare organizations to take several critical steps to defend against medjacking. In this interview, Enriquez discusses:
- Advice to medical device manufacturers for what they can do to bolster the security of their products;
- Tips for detecting compromised medical devices;
- The important role that encryption can play in protecting against medical device related breaches.
Enriquez, CEO of TrapX, brings more than 30 years of relevant industry experience to his role, including previous leadership positions at Symantec, IBM, Tivoli and Stratus Technologies. Before TrapX, he served as vice president of sales at FireEye, where he led the worldwide sales team for the company's advanced technologies division.