Medjacking. . . Hackers Hi-Jacking Medical Devices

In recent posts I have discussed the need for security to keep hackers from injecting malware into medical devices. Now, TrapX Laboratories has issued a paper on an attack vector called MEDJACK, or “Medical Device Hi-Jack” (http://trapx.com/solutions/industry-2/healthcare/). TrapX explains that medical devices are “key pivot points” on a healthcare network. They are the weakest link in the chain, as they are often the easiest and most vulnerable points of entry into a medical provider’s network. Once in the network, the hacker can hi-jack and remove data from the healthcare institution.
A large part of the problem is that medical devices are FDA approved. The medical provider that purchases, and uses the medical device, cannot install their own cyber defense mechanisms on the devices. Tampering with the device, in addition to possibly running afoul of FDA regulations, might affect its operation, resulting in liability for the healthcare provider if a patient is injured.
Oftentimes, the provider does not even have access to the device’s operating system. The problem is compounded by the fact that the medical devices are often not designed to maintain security within the device. Even if the device is manufactured with adequate security, it is not maintained to meet the always changing attacks developed by hackers. When an intrusion is detected, remediation can be difficult without support from the manufacturer to access the device’s internal memory.
Any medical device connected to the internet can be affected. This includes CT scanners, MRI machines, infusion pumps, dialysis machines, and life support equipment. Once the hacker gains access to the medical device, in addition to affecting the operation of the device, he can use the device to access other parts of the medical provider’s network, such as medical records. The hacker can also shut down critical hospital systems, or engage in an enterprise wide attack.
What is the solution? In addition to several technical recommendations, TrapX recommends a review of contracts with medical device suppliers. These contracts should address the detection, remediation and refurbishment of medical devices, which become infected with malware. I will add that these contracts should address indemnity, cooperation by the device manufacturer in the even of an intrusion, ongoing security updates by the manufacturer, and assurances regarding the security built into the device during the manufacturing process, or “security by design”.

Written by: Richard Sheinis, Esq.