Home Medical Device Hijacking: Cybercriminals Target Healthcare Infrastructure to Steal Sensitive Data

Medical Device Hijacking: Cybercriminals Target Healthcare Infrastructure to Steal Sensitive Data

Oct 15, 2015 08:27 CST Updated 08:27

Medical data is referred to as the “holy grail” by cybercriminals. According to Reuters, medical information is worth ten times more than credit card numbers. Hackers continuously launch attacks using malware to steal this information, leaving healthcare networks’ security defenses increasingly stretched and inadequate.

TrapX has released a research report on cyberattacks against three hospitals, in which hackers exploited attack vectors to compromise hospital systems. Researchers refer to this method as medical device hijacking (MEDJACK). An attack vector refers to a method used by hackers to target computers or network servers. Attack vectors enable hackers to identify any potential vulnerabilities within a system. Researchers have warned that the hijacking of medical devices will unleash a catastrophic storm upon major healthcare institutions worldwide. The MedJack attack vector may represent the “weakest link” in hospitals.

TrapX also discovered that numerous security vulnerabilities existed across various medical devices in the three independent hospitals it investigated, including X-ray equipment, Picture Archiving and Communication Systems (PACS), and Blood Gas Analyzers (BGA). Nevertheless, many devices remained immune to MEDJACK, including diagnostic equipment (such as PET scanners, CT scanners, and MRI machines), therapeutic devices (such as infusion pumps, medical lasers, and LASIK surgical systems), and life-support equipment (such as heart-lung machines, medical ventilators, ECMO systems, and dialysis machines), among others.

Attack on Hospital Blood Gas Analyzers

The report indicates that blood gas analyzers are commonly used in intensive care units or during surgical procedures. According to an anonymous hospital, they have deployed a robust suite of network defense products and have not detected any attacks to date. However, TrapX discovered that after malware infiltrated the blood gas analyzers, hackers easily established a backdoor into the hospital’s network through lateral movement within the internal network. More alarmingly, the hackers had quietly breached the European Community’s repository for classified data. TrapX also found that malware variants such as Zeus, Citadel, and other worms were lurking on medical devices to steal additional passwords from the hospital. TrapX believes that the hackers’ next likely step would be to “compromise a workstation within the hospital’s IT department.”

When the TrapX Labs team used a Novartis Biomedical CCX (Critical Care Express) device to reproduce an attack in a simulated environment, they were surprised to find that all hospital data was unencrypted. Meanwhile, researchers also discovered that once hackers establish a backdoor on our blood gas analyzers or any other medical devices, they can freely manipulate unencrypted data storage and transmission equipment. In summary, the experimental team at TrapX believes that MEDJACK’s attack vectors have the potential to distort or alter internal data.



The report explains that, on one hand, medical devices are closed systems that are often outdated, frequently modified, and run operating systems with known vulnerabilities, such as Windows 2000, Windows XP, and Linux. This is why the MEDJACK attack vector provides hackers with highly vulnerable targets on a global scale. Firewalls cannot easily detect or patch such attacks. On the other hand, hackers have an open door. They can infiltrate the network, bypass existing firewalls, and exploit a time window to compromise medical devices and establish a backdoor within the protected harbor. Although hospitals often deploy firewalls behind medical devices and run antivirus software and other anti-intrusion security endpoints on their internal networks, TrapX states that “medical devices are the key hub for hackers to infiltrate healthcare networks.” Since medical technology teams cannot access the internal software of medical devices, they must rely on manufacturers to establish and maintain the security of these devices. However, manufacturers have not yet developed effective software to detect most payloads generated by MEDJACK attacks.

Lateral Attack on Hospital Radiology Departments

At another hospital, hackers employed a different attack strategy, seeking other targets through network transmission. However, the source of this lateral movement was the Picture Archiving and Communication System (PACS), which allows radiology departments to store and access images from multiple sources. These image sources include CT scanners, MRI scanners, portable X-ray machines (C-arms), X-ray equipment, and ultrasound devices. The PACS system also attempted to function as part of a botnet, connecting to command-and-control servers. At a hospital in Guiyang, China, hackers infiltrated a critical nursing station via lateral movement and stole a large amount of the hospital’s confidential data. While performing their duties, medical staff were inadvertently using a virus-infected website.

Intrusion into Hospital X-ray Systems

According to observations by TrapX, critical components of medical devices were once again infected with malware in attacks within the “third reality.” In this instance, hackers installed a backdoor in the hospital’s X-ray system. According to Carl Wright, General Manager of TrapX, “Our scientists have observed that attackers can simulate a suite of attacks, developing several models specifically designed for particular medical devices, and then launch these attacks. In designing such attacks, perpetrators can exploit the complexities inherent in diagnosis and treatment, as well as the high value of medical data, thereby creating a nearly perfect target for organized crime.”

Remote Attack on Hospital Drug Pumps

Cyberattacks on medical devices such as insulin pumps and cardiac pacemakers can be fatal, prompting the U.S. Food and Drug Administration (FDA) to intervene forcefully to protect wireless medical devices from hacker interference. Several years later, the U.S. Department of Homeland Security launched an investigation into 24 types of life-critical medical devices with cybersecurity vulnerabilities. Now, there is more troubling news regarding vulnerabilities in the medical device sector; for instance, hackers could exploit remote access capabilities in drug infusion pump software to alter medication dosages to lethal levels.

Security researcher Billy Rios discovered that at least five modes in Hospira’s drug infusion pump system were vulnerable. He told Wired magazine, “This is the first time we have found that we can alter the dosage of medication.”

After testing the infusion pumps, Rios found that five models had very weak defenses: the standard PCA LifeCare infusion pump, the PCA3 LifeCare and PCA5 LifeCare infusion pumps; as well as the Symbiq series and Plum A+ model infusion pumps. Wired added that at least 320,000 Plum A+ model infusion pumps are installed in hospitals around the world. Although Rios has not yet tested other models for vulnerabilities, he suspects that the company’s Plum A+3, Sapphire, and SapphirePlus model infusion pumps all have varying degrees of vulnerability.

Compiled by Liu Jianqiu
Editor: Huang Jia