A patient lies in a hospital bed waiting for a medical professional to conduct a blood gas analysis. Little does the patient know that his personal information is also undergoing a procedure.
The database that stores patient data was found unencrypted, default passwords were used, and the nature of the exploit was basic, according to TrapX Security, which was called in later to recreate and diagnose the issues at the unnamed hospital. The technology research company recently released its findings in a report called "Anatomy of an Attack – Medical Device Hijack (MEDJACK)". The security company declined to name the three hospitals it examined, except to say they were located in the Western and Northeastern U.S.
“The TrapX Labs cyber exploit team was able to remotely change readings in the exploited blood gas analyzer. We could change database records at will. Blood gas analyzers are often used in intensive care. These are patients generally quite ill, so any interference with the operation of the device could have negative consequences,” said Moshe Ben-Simon, co-founder and vice president of TrapX Security, adding that they have no evidence of any cyber attacker activities that physically harmed a patient.
Since the beginning of 2016, several hospitals and healthcare institutions have fallen victim to ransomware attacks, including MedStar Health, Kansas Heart Hospital and Hollywood Presbyterian Hospital. Personally identifiable information (PII) and medical records hold a value between 10 to 20 times more than credit card data.
Cybersecurity firm Dell Secure Works notes that cyber criminals get paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach.
The black market is filled with PII for sale. Cybercriminals use these records to create false identities, to obtain credit and apply for credit cards, and to file false tax returns, said Ben-Simon.
“The records also enable fraudulent access to the victim's financial accounts including bank accounts, credit card accounts and more. Medical records are the top targets for cyber attackers,” he said.
From the report: “Medical devices have become the key pivot points for the attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data.”
TrapX is in the middle of an investigation into a MEDJACK attack that may impact up to ten hospitals, Ben-Simon said. Details of this will be presented at RSA next week at TrapX’s disclosure session on MEDJACK.
According to TrapX’s recent research report, the number of major attacks where over 500 patient records were reported as breached rose more than 50 percent from 2015 to 2016.
Sign up for CIO Asia eNewsletters.