The untold security risk: Medical hijack attacks

We hear a lot about security exploits in financial services firms and retailers. But a new report shows healthcare organizations are attacked most often.

The untold security risk: Medical hijack attacks

Healthcare is now the most frequently attacked industry, beating out financial services, retail and other industries, according to a new report by TrapX. As a result, healthcare organizations are having trouble keeping pace with the number and sophistication of attacks they have to deal with.

The report, entitled MEDJACK 2, details the sheer scale of attacks that hospitals and other medical establishments suffer on a regular basis. It is a follow-up to a similar report TrapX released last year.

+ Also on Network World: Healthcare needs more IT security pros – stat +

TrapX, a cybersecurity vendor in the deception space, found an increasing number of attacks targeting the healthcare industry and, worryingly, a number of successful attacks that have penetrated security defenses within hospitals.

This is, of course, a huge concern. When a financial institution is breached, people can potentially steal money. But when a hospital is breached, patients’ lives are on the line. Potentially attackers could get access to medical records and prescription systems and tamper with those.

Even more worryingly is that there are now a huge variety of medical devices—from pacemakers to life support systems—that are IP-enabled. The idea of an attacker hacking a medical facility's network and getting access to a patient's pacemaker is a worrying concern. And while that has always been simply a case of scary science fiction, TrapX's research indicates there is much potential there.

The report explains how attackers have evolved and are increasingly targeting medical devices that use legacy operating systems that contain known vulnerabilities. By camouflaging old malware with new techniques, the attackers are able to successfully bypass traditional security mechanisms to gain entry into hospital networks and ultimately access sensitive data.

One factor that should slightly reduce the panic that this report creates is the finding that mainly these attackers are looking for data that they can sell rather than wanting to create real mayhem. There appears to be a lucrative black market for patient data.

Patient data on the black market

Greg Enriquez, CEO of TrapX Security, said persistent medical device attacks targeting hospital networks went undetected for months.

“Over the last year, we saw the compromise of healthcare networks come into the public spotlight, making frequent news headlines,” he said. “Evidence confirms that sophisticated attackers are going after healthcare institutions, and they are highly motivated to gain access to valuable patient records that can net them high dollars on the black market.”

MEDJACK 2 shows that MEDJACK 1 was not an anomaly, but the beginning of a growing trend—a trend that’s become prevalent, Enriquez said. Increasingly attackers use sophisticated attack strategies to steal patient data while remaining undetected, he said.

Combatting attacks

The findings provide a nice segue into a bit of business development for TrapX, whose co-founder, Moshe Ben Simon, displays impressive chutzpah when his number one suggestion to combat these attacks is for hospitals to review budgets and bring in new technologies. He says hospitals need tools that can "identify attacks within their networks, not just at the perimeter."

TrapX says its solutions detect, analyze and defend against real-time cyber attacks. Rather than trying to simply block attacks, TrapX deceives would-be attackers with turnkey decoys (traps) that “imitate” customers' true assets. Hundreds or thousands of traps can be deployed, creating a virtual minefield for cyber attacks, alerting customers to any malicious activity with actionable intelligence immediately.

Like many vendors in the cyber security field, TrapX spends a bunch of time looking at what happens out in the real world—both to inform its own product development, but also to educate the public about the risks in different sectors. The company produces a series of reports that demonstrate the results of TrapX research into critical infosec issues, hence the latest reporting zeroing into the medical field.

Commercial imperatives notwithstanding, this report is a sobering document that should make hospital administrators and IT personnel sit up and think about the attack risks within their organization.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

IT Salary Survey: The results are in