Why medjacks are the unseen risk to healthcare cybersecurity

Medjacks, or medical device hijackings, are a severe and often unseen threat in the healthcare industry. Hackers exploit vulnerabilities in medical devices like infusion pumps, pacemakers, and imaging systems, taking control of these tools to exploit healthcare organizations.

Understanding medjack attacks 

According to a journal article titled, Security & Privacy Concerns, Medjacking and Attacks in IOT Healthcare System, “Medjacking, as the name suggests is the process of hijacking the biomedical devices available in hospitals to create backdoors to harm and/or threaten a patient. In history, this process of attack has been commonly referred to as a ticking time bomb…”

Medjacks, or medical device hijackings, are cyberattacks where hackers take control of medical devices like infusion pumps, pacemakers, and imaging systems. Cybercriminals, often motivated by financial gain or data theft, carry out these attacks. The risk of Medjacks is that they can compromise patient safety by altering device functions, stealing sensitive medical data, and disrupting hospital operations. This form of attack is especially common in healthcare because many medical devices run on outdated software and lack strong security features. 

How medjacks infiltrate healthcare networks 

1. Attackers begin by scanning for medical devices with weak security protocols. Many devices run on outdated software or have default passwords that are easy to crack. These include devices like infusion pumps, pacemakers, MRI machines, and other connected health equipment.
2. Once a vulnerable device is identified, attackers use various techniques to exploit its weaknesses. This could involve using known exploits for unpatched software, leveraging default or weak passwords, or exploiting communication protocols that lack encryption.
3. After exploiting the device’s vulnerabilities, hackers gain access to the medical device. The compromised device acts as a gateway into the healthcare network.
4. With access to the medical device, attackers can then move laterally across the network. They use the device as a stepping stone to access other parts of the network.
5. To deepen their infiltration, attackers attempt to escalate their privileges within the network. They look for higher-level access accounts or exploit additional vulnerabilities to gain administrative rights.
6. Once they have access, attackers can exfiltrate data, such as patient records, personal information, and financial data. They may also install malware or ransomware to disrupt hospital operations, encrypt data, and demand a ransom for its return.
7. To ensure long term access, attackers may install backdoors or other persistence mechanisms. This allows them to return to the compromised network even if some security measures are implemented post-attack.
8. Finally, skilled attackers will cover their tracks to avoid detection. They may delete logs, obscure their activities, and use sophisticated techniques to remain hidden within the network, making it difficult for cybersecurity teams to detect and respond to the breach.
   
   

How the information from medjacks is commonly used 

An investigative report released by TrapX Research Labs provides that, “..., medical devices cannot be scanned, so understanding the status of potential cyber threats within medical devices is very limited.” Medjacks are particularly effective because many medical devices were not originally designed with cybersecurity in mind. 

During Medjack attacks, hackers target a wide range of sensitive information, starting with patient medical records that contain detailed health histories, diagnoses, treatments, and medications. Building on this, they also seek personal identification information like names, addresses, birthdates, and Social Security numbers. Financial data, including credit card numbers and insurance details, becomes another prime target as it can be used for fraudulent transactions.

Once hackers obtain this information, they deploy it in various malicious ways. Personal and medical data often end up on the dark web, where it is sold to buyers who use it for identity theft and financial fraud, such as opening credit accounts or filing fake tax returns. Detailed medical records enable the creation of fraudulent insurance claims or illegal procurement of prescription drugs.

Cybercriminals may resort to blackmailing patients by threatening to reveal sensitive health details unless a ransom is paid. This stolen data also empowers them to launch further attacks against the healthcare organization, using the information to gain deeper access or deceive staff with targeted phishing schemes. 

How legislation guards against medjacks

HIPAA

The Security Rule requires healthcare organizations to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Sections, like 45 CFR § 164.308, require administrative safeguards such as risk assessments and security management processes to identify and address potential vulnerabilities in medical devices. The Physical Safeguards outlined in 45 CFR § 164.310 demand measures like facility access controls and workstation security.

The Technical Safeguards in 45 CFR § 164.312 include access controls, audit controls, and encryption, for protecting ePHI from unauthorized access and tampering. When a Medjack attack occurs, the Breach Notification Rule (45 CFR §§ 164.400-414) comes into play, requiring healthcare organizations to promptly notify affected individuals, the Secretary of Health and Human Services, and sometimes the media, if a breach of unsecured PHI occurs. 

FDA

Under the Federal Food, Drug, and Cosmetic Act (FDCA), the FDA has the authority to ensure that medical devices are safe and effective, which includes being secure against cyber threats. Specific FDA guidelines, such as those in the guidance document "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," require manufacturers to address cybersecurity risks during the design and development of devices. This document, referenced under FDA regulations, stresses the need to include security measures like encryption, access controls, and regular software updates to protect against potential cyber attacks.

The FDA's "Postmarket Management of Cybersecurity in Medical Devices" guidance also emphasizes ongoing vigilance. It outlines how manufacturers should monitor cybersecurity vulnerabilities, maintain regular communication with users about potential risks, and issue patches or updates as needed to address any discovered threats. The FDA also collaborates with other organizations through initiatives like the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, providing strategies for healthcare facilities to prepare for and respond to cybersecurity incidents.

How to protect against medjacks 

1. Isolate legacy medical devices: Many older medical devices run outdated software that cannot be patched. Isolate these devices on separate network segments with limited access. Place legacy infusion pumps on a dedicated VLAN with strict firewall rules that only allow necessary communications.
2. Deploy medical device management platforms: Use specialized platforms to manage and monitor medical devices, ensuring they are regularly updated and securely configured. Implement platforms like Medigate or Zingbox that provide visibility into device inventory, vulnerabilities, and real-time monitoring.
3. Use device-specific firewalls: Install mini-firewalls directly on medical devices or at the network level to control and monitor all incoming and outgoing traffic. Use solutions like the MedCrypt device firewall to enforce strict communication policies for each device.
4. Conduct device threat modeling: Perform threat modeling specifically for medical devices to understand potential attack vectors and impacts, leading to better security strategies. Use methodologies like STRIDE or PASTA to systematically analyze threats and vulnerabilities specific to medical devices.
5. Apply micro-segmentation: Use micro-segmentation to create highly granular security zones within the network, isolating each medical device or group of devices. Utilize VMware NSX or Cisco ACI to create micro-segments that restrict communication to only necessary systems and services.
6. Utilize blockchain for data integrity: Implement blockchain technology to ensure the integrity and immutability of medical device data, making it harder for attackers to tamper with information. Use platforms like Guardtime or Hashed Health to integrate blockchain for secure logging and data verification.
7. Conduct regular device penetration testing: Perform penetration tests specifically on medical devices to identify and fix security weaknesses before attackers can exploit them. Hire cybersecurity firms that specialize in medical device security to perform detailed penetration testing and vulnerability assessments.
   
   

The reality of medjacks in healthcare 

Medjack.1 to Medjack.3 represents a series of increasingly sophisticated cyberattacks targeting medical devices. Medjack.1, was the first wave where hackers exploited unpatched vulnerabilities in devices like infusion pumps and imaging equipment to infiltrate hospital networks. According to a cumulative article on the progression of medjacks by Dark Reading titled, MEDJACK.3 Poses Advanced Threat To Hospital Devices, “MEDJACK was discovered in 2015 as an organized initiative targeting medical devices in three disparate hospital attacks.” They gained access through these weak points and moved laterally to steal sensitive patient data and disrupt operations. 

The same article provides, “MEDJACK.2, discovered in 2016, is a more advanced version of the original. Cybercriminals used backdoors and botnets to exploit devices and enter networks.” This includes persistence mechanisms, allowing them to maintain control over compromised devices even after some defenses were improved. This version targeted a broader range of devices with more refined tactics. 

By 2018, Medjack.3 emerged, showcasing even greater sophistication. Hackers employed polymorphic malware, which could change its code to avoid detection, and attacked devices like CT scanners and X-ray machines. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a medical device?

A medical device is any instrument, apparatus, machine, or implant used to diagnose, prevent, or treat medical conditions.

What is VLAN?

A Virtual Local Area Network is a network configuration that separates devices into different segments to improve security and manage traffic more efficiently.

What is the FDA?

Food and Drug Administration is a U.S. government agency responsible for regulating food, drugs, medical devices, and other health-related products.