“The damage varies by hospital. In almost all cases, without exception, the cyber attackers were focused on stealing patient records for resale and economic gain,” he said.
The hospital explained that they had not sensed any kind of malware infection or persistent threats visible to patients. The hospital had a strong industry suite of cyber defense products, including a firewall, intrusion detection (heuristics based), endpoint security and antivirus. The healthcare IT team included a team with several experienced cyber technologists, TrapX found.
TrapX said forensic evidence showed that the attacker continued to move through the hospital’s networks looking for appropriate targets. These were all infected separately and had now enabled backdoors into the hospital networks.
The cyber attackers were focused on stealing patient records for resale and economic gain.
Moshe Ben-Simon, co-founder and vice president of TrapX Security
It was subsequently determined that confidential hospital data was being exfiltrated to a location within Europe. Although the data breach was identified, there is still uncertainty around how many data records were exfiltrated.
TrapX found Zeus and Citadel malware being used to find additional passwords within the hospital.
“In some cases we understand that the hospital is concerned about liability brought on by accidentally affecting the correct operation of the device. The effect of loading updates and/or additional software is never completely known or understood,” TrapX reported, referring to the liability and possible consequences involved in updating software on the medical devices.
Images of vulnerability
In the second healthcare institution, TrapX identified the source of this lateral movement was the picture archive and communications systems (PACS) that provided the radiology department with the storage and access to images derived from multiple sources. These image sources included CT scanners, MRI scanners, portable X-ray machines and ultrasound equipment. The PACS system is central to hospital operations and is linked to the rest of the hospital for access to vital imagery.
TrapX found the infection originated from a nurse’s workstation. Confidential hospital data was being exfiltrated to a location in Guiyang, China. An end-user in the hospital surfed on a malicious website, which redirected them to another malicious link that loaded a java exploit into that user’s browser. This allowed the attacker to run a remote command and inject malware to provide backdoor access for lateral movement.
“[These records are] the most complete and detailed profile data and hence the most valuable. Each system breached provides an opportunity for the theft of data, and potential access to additional systems on the network,” Ben-Simon said. “Attackers could cause the complete loss of data, if not backed up. Even if backed up, the cost to recreate the data files correctly in a newly restored operational healthcare medical systems is high.”
Sign up for CIO Asia eNewsletters.