The lurker in your MRI machine wants money, not your life
Investigators find attackers setting up basecamp in medical equipment using new, stealthier techniques.
***Updated on 2-27-17 with comments from Michael McNeil of Philips***
If you get an MRI scan at the hospital, you may not be alone.
There may be an attacker hiding inside the machine, a digital thief looking to snatch your medical records or freeze the hospital’s computers for ransom.
Cybersecurity company TrapX Security reported today that it has found malicious hackers roosting on medical equipment at hospitals in the U.S. and other countries, using new, sophisticated techniques to hide their evil deeds.
“Attackers are hijacking medical equipment,” TrapX’s Chief Marketing Officer Anthony James said. “They’re stepping up their game.”
That equipment includes MRI machines, CT scanners and blood gas analyzers, James told Archer News.
The company has published reports on this kind of medical hijacking—what it calls ‘MEDJACK’—before, in 2015 and 2016.
Now, however, the criminals are using special techniques that allow them to successfully cover their tracks and run under the radar, James said.
“It was an evolutionary step,” he explained. “A similar theme with an elevated level of sophistication.”
How they get in
It starts with a click.
A doctor or nurse or nurse’s aide at a hospital computer, perhaps at a nurse’s station, gets an e-mail that looks legitimate, but really holds a link to malware.
The hospital worker clicks, and the malware launches itself, on the hunt for certain kinds of medical equipment, according to James, who is giving a presentation on the new ‘medjacking’ techniques at the RSA cybersecurity convention in San Francisco today.
The first round of attacks discovered in 2015 landed on medical equipment by accident, James said.
“The first one, we felt like it was blind luck,” he said. “The attacker blindly found this device and attacked it. They were successful.”
The first round of ‘medjacking’ affected X-ray systems and other equipment, TrapX said.
The next wave in 2016 built on that success.
The crooks created malware to look specifically for medical equipment, seeking out machines with older operating systems like MRI machines and CT scanners, James said.
“You and I don’t see that—if we’re having an MRI scan, it’s underneath the covers—but it’s running an old version of Windows,” he said. “It’s outdated. It’s highly vulnerable to attack.”
The third wave of medjacking shows new expertise, according to James.
“They had this very unique technique of not being discovered by the most advanced detection technologies that are out there in the industry today,” he said.
Example of a fluoroscopy system. TrapX reported it found hackers camping out in some fluoroscopy systems in 2016. Image: Kieranmaher via Wikimedia Commons
Out to kill?
As you lie there in the MRI machine or that CT scanner—feeling vulnerable—you may wonder if the lurker wants to hurt you, or at least steal your images as they appear.
No, TrapX said.
“They’re not going to try and harm a patient,” James said. “They’re not going to try and harvest anything out of that CT scanner, but they’re going to use that as a basecamp to launch an attack.”
Why not hurt you, if they can?
“There’s no money in it,” said James. “Really, all of this is about—at the end of the day—is money, looking to figure out how to make the most amount of money.”
The big money comes from tracking down the big patient record databases, stealing the information and selling it on the black market, TrapX said.
Or from locking up the hospital’s files with ransomware, demanding payment to get it back.
One year ago, a California hospital paid $17,000 to unfreeze its systems.
Ransomware hit two other California hospitals soon after, though reports say the hospitals did not pay up.
A Kansas hospital paid one ransom to unencrypted its files in 2016, but then refused when malicious hackers demanded more money, according to news reports.
Cybersecurity companies like Palo Alto Networks predicted that medical facilities will continue to go through ransomware attacks in 2017.
Why do the cyber crooks target medical equipment?
People usually monitor the more typical computer systems, James said.
“No one’s looking at an MRI scanner to see if it has malware on it,” he added.
In addition, the manufacturers have to put their devices through certification with the Food and Drug Administration, which could take months or years, he said. By the time the devices are certified, their systems may be out of date.
“There’s billions of dollars of outdated equipment in the industry today that’s not going to be ripped and replaced,” he said. “And that’s a big challenge.”
There is not an easy solution, according to Michael McNeil, senior director of product security for Philips Healthcare, a maker of medical equipment.
The health care device ecosystem is complex, with manufacturers, hospitals, and multiple regulators, he said.
Some hospitals depend on the vulnerable medical equipment every day to keep patients safe and healthy.
“In most cases, hospitals and other institutions—it’s not like they have a truck of these sitting in the back room and they can just wheel a new one in,” McNeil said to Archer News.
What to do
Clicking on a nasty link could lead to disaster—an attacker can over your device, send messages to everyone in your contacts, trick them into clicking, and take over their devices and where they work.
If it’s a medical center, the stakes are higher. People could have trouble getting medical care, or could lose they money if someone uses their health information to steal their savings or their identity.
“Most of us have seen the problem where we have a friend on Facebook. They send us a message and it looks really weird. And we still click on it because they’re trusted. That’s how a lot of these things start,” James said.
Send your friend a message back to see if they really sent it, as James does.
“In fact, I had two last week where, no, they didn’t, and their systems were hacked,” he said.
Please log in
You may receive an e-mail asking you to login or update an account.
Always check on your own to see if that e-mail is legitimate before clicking on anything in the message, James recommended.
You can go to the site directly and log in there, or call the company.
But medical facilities and manufacturers need to take steps to help protect medical equipment and systems, he advised.
For example, hospitals can set up roadblocks between systems so that equipment like MRI machines can’t access medical record databases, and train staff about not clicking on shady links.
An example of what a phishing e-mail might look like. Image: Andrew Levine via Wikimedia Commons
Some hospitals may not be following best cyber hygiene practices or keeping devices updated as requested, McNeil indicated.
He said medical facilities, manufacturers and researchers should all use information sharing guidelines to help each other keep malicious hackers out.
And people should not let fear of medical device attackers keep them from going to the hospital, he added.
“I don’t see people saying, because of vulnerabilities that have also been identified, that everyone now abandons riding or driving a motor vehicle,” McNeil said. “Or abandons going and utilizing banking and other financial institutions, or not using your credit card ever again.”
10 out of 10?
TrapX found medjacking in every hospital they checked, according to James—ten in all, most in the U.S.
That could mean many more hospitals are infected, he explained.
You may need to accept that, for now, your next MRI or CT scan could come with a visitor—a cyber invader living inside the machine, waiting patiently to strike.
“We have to be aware that these things are happening,” James said. “We thought these medical devices were specially designed to do one purpose and one purpose only. They can’t be used for anything else. Oh, no, we found out otherwise.”
***Updated 2-27-17 with comments from Michael McNeil of Philips.***