25 Sep Medjacking: The newest healthcare risk?
If you’re looking for trends in cyber-crime, it’s best to follow the money
In early August, Popular Science reported an FDA safety warning against an infusion pump used in hospitals. According to the FDA, a type of pump used to administer IV fluids is vulnerable to cyber-attack, potentially putting patients’ lives at risk. The article points out that, in an episode of the TV series Homeland, hackers killed the U.S. vice-president by hacking and disabling his pacemaker.
While that kind of attack is a great plot device for a TV drama (and makes medical device security an entertaining topic for Popular Science), the wider security threats posed by medical devices are both more mundane and potentially more destructive. Healthcare information is being exposed in more places every day, creating new risks for patients, providers, payers, and other organizations. In this article, I’ll look at how medical devices fit into the risk profile.
Computer Science Zone reports that there will be 25 billion connected smart devices in use in the next five years (there are almost 5 billion already). A significant portion of these will be medical devices, from pacemakers to drug pumps, mobile medical workstations, in-home monitors, and personal fitness devices. A recent article in WorldNow proclaimed, “It may sound like a science fiction novel, but medical devices could someday be the target of hackers.” But the fact is that these devices are already being hacked, a trend that is alarming hospitals and other healthcare organizations. In fact, this kind of hacking is already widespread enough to have a new name: medjacking.
Tiny keys to big doors
It’s true that hackers could tamper with medical devices to harm individuals, but thus far these devices are being hacked to unlock portals into larger medical systems and steal protected health information. In June 2015, security company TrapX released a report showing that the majority of healthcare organizations are vulnerable to medical device hijacking (a term they shortened to “medjacking”). The report also detailed incidents of medjacking in three hospitals. In one, a blood gas analyzer infected with two different types of malware was used to steal passwords to other hospital systems, and confidential data was being sent (“exfiltrated,” in hacker parlance) to computers in Eastern Europe. In another hospital, the radiology department’s image storage system was used to gain entry to the main network and send sensitive data to a location in China. In a third hospital, hackers had installed a back door in a drug pump to gain access to the hospital network.
While national security agencies are no doubt preparing for the cloak-and-dagger scenario of medjacking against an individual, if you’re looking for trends in cyber-crime, it’s best to follow the money. In an earlier article on the economics of cyber-crime, we pointed out that stolen medical identities can bring in many times the price of a stolen credit card number. In their current state of security, many medical devices offer hackers an easy entry point to steal massive numbers of records from healthcare provider’s data systems. The TrapX report quotes its co-founder and vice president Moshe Ben Simon: “Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The medjack is designed to rapidly penetrate these devices, establish command and control, and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution.”