Page 66 - index
P. 66
Upon further observation, the software was able to determine that confidential patient data was
being exfiltrated to Guiyang, China.
In this case, targeted emails the attackers sent to the hospital took users to a website that
installed a Java exploit onto the workstation and then spread.
As in the previous example, the hospital’s standard cyber-defense was unable to scan or
remediate anything within the PACS system, which now served as a back door to attackers and
opened up the hospital’s networks to continued attack.
In the third real-world example, TrapX technology detected an attacker had compromised a c-
arm X-ray machine.
As with the other discoveries, the research pointed to an advanced persistent attack where the
attacker(s) had backdoor access through one of the hospital’s medical devices.
In all three cases, the standard cyber-defenses employed by these hospitals were unable to
scan or detect the attackers within the medical devices.
Recommendations
“TrapX Labs strongly recommends that hospital staff review and update their contracts with
medical device suppliers,” said Moshe Ben Simon, TrapX Security co-founder and vice
president.
“These contracts should address the detection, remediation and refurbishment of medical
devices sold by the supplier that later become infected by malware. Hospitals must have a
documented test process to determine if their devices have become infected, and suppliers
must have a documented standard process for remediating and rebuilding devices when
malware and cyber attackers are caught exploiting them.”
Going forward, TrapX Labs recommends that hospitals and major healthcare institutions
implement the following:
• Adjust procedures to allow for the rapid integration of software and hardware updates
that are provided by medical device manufacturers
• Adjust procedures to procure medical devices only after a review with the manufacturer
that focuses on cyber-security processes and protections
• Implement a strategy to identify and remediate existing compromised medical devices
now
• Implement plans to update existing contracts with medical-device vendors for support
and maintenance that specifically address malware remediation
• Prepare for significant security events that are reportable under HIPAA. Healthcare
institutions should seek the advice of competent HIPAA consultants
66 Cyber Warnings E-Magazine – July 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
