Home →Security →How IT Teams Can Protect Health Care Data

How IT Teams Can Protect Health Care Data

By Karen A. Frenkel | Posted 06-24-2015

1 of

How IT Teams Can Protect Health Care Data

By Karen A. Frenkel
The Rise of MEDJACKs: Medical Device Hijacks

Medical devices have become key pivotal points within health care networks for cyber-attackers. They are the hardest area to remediate even when attacker compromises are identified.
Devices and Electronic Medical Records Connected

Because medical devices and electronic medical records are being deployed quickly across doctors' practices and hospitals due to government incentives, this community has connected the most vulnerable devices with the highest valued data.
Types of Compromised Equipment

X-ray machines, picture archives and communication systems and blood gas analyzers are vulnerable.
Critical Care Units Used for Analysis

The report found that Nova Biomedical and its Critical Care Express units contain Zeus and Citadel malware. Hackers used the devices, which were several years old, to find passwords within the hospital. TrapX studied these devices to understand and illustrate MEDJACK.
Recommendations

The report suggests 13 ways to safeguard medical devices and data, including that medical institutions rapidly integrate and deploy software and hardware fixes provided by medical device manufacturers and have senior management and QA teams track them.
Protections and Quarterly Reviews

Procure medical devices only after reviewing with the manufacturer their cyber-security processes and protections. Review these quarterly.
Review and Remediate Devices Now

Many devices are probably already infected and creating unknown risks to institutions and patients, so review and remediate them now.
Medical Device End-of-Life Strategy

Many medical devices have been in service for years and should be retired, especially if they have no strategy against malware.
Update Your Medical Equipment

Although updating support and maintenance that specifically address malware remediation may increase expenses, it is necessary and prudent. Manufacturers should offer documented test processes to determine whether devices are infected and standard process to remediate them.
Prepare for HIPAA Violations

You may find exfiltration of patient data. Compliance and IT must work together to document such incidents, and provide notice and follow-up in accordance with the law.
- How IT Teams Can Protect Health Care Data
  
  View Slideshow »
View All Slideshows >

Hackers have placed malicious software on critical medical devices and can remotely access them, rendering health care institutions vulnerable to a perfect storm of attacks, according to a new report. Cyber-attackers are attracted to medical devices because they contain health care data and insurance credentials, which the black market values 20 times more than credit cards. The report, "Anatomy of an Attack: Medical Device Hijack (MEDJACK)," was prepared by cyber-security defense firm TrapX Security. It explains how attackers can rapidly penetrate medical devices and establish backdoors to gain access to the rest of a health care institution's data. Drawing on data from three cases of ongoing attacks, the report recommends that hospitals review contracts with medical device suppliers to address the detection, remediation and refurbishment of medical devices infected by malware. It also offers recommendations. TrapX Vice President Moshe Ben Simon said, "Hospitals must have a documented test process to determine if their devices have become infected, and suppliers must have a documented standard process for remediating and rebuilding devices when they are exploited by cyber-attackers."

Karen A. Frenkel writes about technology and innovation and lives in New York City.