In addition, TrapX discovered a pass-the-hash technique was being used to exploit vulnerabilities in the hospital’s PACS, as well as multiple vendor computer servers and storage units. A pass-the-hash technique allows the attacker to authenticate credentials to a remote server or service using the underlying NTLM (Microsoft NT Lan Manager) hash of users' passwords instead of plaintext passwords. From there, attackers can then intercept network traffic. Researchers found that the attackers created a backdoor within the MRI system, which, in turn, attacked several of the PACS system servers.
As of March 30, 2015, the Identity Theft Resource Center (ITRC) shows healthcare breach incidents as 32.7 percent of all incidents nationwide.
“Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The MEDJACK is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution,” Ben-Simon said.
While most critical patient data is protected under the federal Health Insurance and Portability and Accountability Act (HIPAA), the level of enforcement varies from state to state, notes TrapX. “This inability to enforce security policies consistently [poses] risks for healthcare institutions and strains limited security resources, thus creating an easy and vulnerable target for cyber attackers.”
Also, despite the fact that many healthcare institutions have implemented the latest operating systems, many fail to regularly update the operating system and/or default administrative passwords that come with devices.
TrapX Labs recommends that hospital staff review and update their contracts with medical device suppliers. “They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyber attackers are using the devices,” said Ben-Simon.
Sign up for CIO Asia eNewsletters.