2. Contents
About Anatomy of an Attack.................................................................................... 3
Executive Summary ............................................................................................... 4
Healthcare Under Siege ......................................................................................... 7
Inside the Healthcare Network ............................................................................... 9
Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer Pivot Attack ...............13
Case Study #2 – Hospital Radiology - The PACS Pivot Attack .....................................16
Obfuscation of Malware in Healthcare Attacks.........................................................19
Conclusions ......................................................................................................... 21
Recommendations ............................................................................................... 22
Introducing Deception Technology for Healthcare ................................................... 24
DeceptionGrid – Breaking the Intrusion Chain ....................................................... 25
DeceptionGrid – Core Functionality .................................................................... 26
DeceptionGrid – Key Components ....................................................................... 28
DeceptionGrid - Benefits and Value for Healthcare .............................................. 29
About TrapX Security ............................................................................................ 30
Find Out More – Download a Free Trial ............................................................... 30
Find Out More – Contact Us Now ........................................................................ 30
Trademarks ..................................................................................................... 30
Special Supplement - Wireless Access Brings Risk to Patients .................................31
3. About Anatomy of an Attack
The Anatomy of an Attack (AOA) Series highlights the results of our research into
current or potential critical information security issues. The AOA series are
publications of TrapX Laboratories. The mission of TrapX Labs is to conduct critical
cybersecurity experimentation, analysis and investigation and to bring the benefits
back to the community at large through AOA publications and rapid ethical compliance
disclosures to manufacturers and related parties.
The TrapX Labs knowledge base benefit significantly from information on advanced
malware events shared with us by the TrapX Security Operations Center (TSOC).
Uniquely this TSOC threat analysis includes very deep intelligence on advanced
persistent threats (APTs) and Zero Day Events.
4. Executive Summary
This anatomy of an attack (AOA) report shares our research into the state of cyber
security within the healthcare industry. The results of this research suggested the
title of this report - healthcare is truly in a state of siege. Attacker activities threaten
overall hospital operations and patient well-being. These attacks, although not always
sophisticated zero day events, represent a clear and grave threat to hospital
operations, the security of patient data and ultimately patient safety. Our team has
identified several attack vectors that could result in patient injury, or even death.
Our report does not identify the specific manufacturers of the compromised devices
which include PACS systems, multiple blood gas analyzers and more. At a later date
we will move forward to complete the distribution of an ethical disclosure. At that
time we will provide these ethical disclosures to the manufacturers for review and
comment, and then to the public at large.
As in other industries, the attackers in healthcare are funded by organized crime,
nation states or a variety of other “bad actors.” The great majority are clearly after
valuable healthcare data and economic gain. Health insurance credentials can have a
value twenty times that of a credit card on the hacker black market. These attackers
know that healthcare networks have more vulnerability and provide greater potential
rewards. They have already determined that these vulnerabilities are so extreme as to
make healthcare the easiest choice for their attack. We have concerns that there are
small but growing risks for these attacks to be used by terrorists or even nation states
to target a medical facility and their patients in times of war or national interest.
The TrapX Labs team refers to this attack vector as MEDJACK, or “medical device
hijack.” Medical devices have clearly become the key pivot points for the attackers
within healthcare networks. They are the most significant point of vulnerability in the
healthcare enterprise, the least protected area, and the hardest area to remediate
even when attacker compromise is identified. We will explain why medical devices are
primary pivot points, how the attacks happen, and once established, how the advanced
persistent threats can extend these command and control points to breach the
hospital’s records over an extended period of time.
The typical hospital is replete with internet connected systems and medical devices.
These devices are also connected to the electronic medical records (EMR) systems that
are being deployed at a fast pace across physician’s practices and hospitals due to
government incentives such as meaningful use. 1
1
http://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html
5. “We use the term MEDJACK, or medical device hijack, to frame
what we see as the attack vector of choice in healthcare.
Attackers know that medical devices on the network are the
easiest and most vulnerable points of entry. The MEDJACK is
designed to rapidly penetrate these devices, establish
command and control and then use these as pivot points to
hijack and exfiltrate data from across the healthcare
institution. MEDJACK also creates the potential for injury or
even death to patients whose care and support rely on malware
infected devices within the hospital.”
-Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager
TrapX Labs
Primary research came from first hand data from incidents within the TrapX security
operations center (TSOC). This included a detailed review of data and analysis
associated with ongoing, advanced persistent attacks in three (3) hospitals. These
attacks pivoted around medical devices which were installed within the hospital’s
hardwired networks.
Our primary mission has been to focus on malware that impacts government and
commercial enterprise where we can leverage our core deception technology. On a
global basis, some of our healthcare customers have expressed concern over the
potential for directed threats to patients delivered through wireless networks to their
internet of things medical devices. The U.S. Department of Homeland Security (ICS-
CERT 2
) has expressed some concern over the use of these wireless attack vectors to
potentially direct a terrorist attack against patients. Further, the ICS-CERT team
continues to investigate these capabilities on a regular basis and has issues a
considerable amount of guidance on this topic.3
Our team decided to do a survey of these devices to better understand the nature of
these attacks and the risk to our customers. We have issued a special supplement to
this report, where Trapx Labs and our research team took a broader look at those
2
https://ics-cert.us-cert.gov/
3
http://www.computerworld.com/article/2837413/security0/dhs-investigates-24-potentially-
deadly-cyber-flaws-in-medical-devices.html
6. medical devices used with ambulatory patients.
Finally, we do present our analysis and recommendations for minimizing the risk
associated with a MEDJACK attack and the best practices for design, implementation
and system life management networked medical devices.
7. Healthcare Under Siege
Healthcare is a massive market with annual expenditures that consume approximately
17.4 percent of the gross domestic product in the United States.4
The ecosystem that
provides healthcare in the U.S. includes 893,851 physicians5
spread across
approximately 230,187 practices each of which may have more than one office. Integral
to the physician’s practices and hospital operations are the 2,724,570 registered
nurses,6
physician’s assistants and administrative staff that support them.
The infrastructure to support the delivery of their expertise is equally massive. There
are approximately 5,686 hospitals7
that support this ecosystem directly and then
closely related ecosystems that include many thousands of skilled nursing facilities,
ambulatory surgical centers, physical therapists and much more. And over 75% of
these physician’s practices have electronic medical records (EMR/EHR) systems which
are all interconnected with the rest of the ecosystem. 8
All of this presents a major target of opportunity for cyber attackers. Recent examples
include the 2014 breach of Community Health Services. 9
The attackers acquired
names, addresses, birth dates, telephone numbers and social security numbers from
4.5 million patients.10 This attack, which occurred between April and June 2014,
compromised the company’s security measures and successfully copied and exfiltrated
data outside the company.
The healthcare information at Community Health Services was potentially protected by
a variety of laws. This data potentially included protection under the Health Insurance
and Portability and Accountability Act (HIPAA) which is enforced, in part, as specified
by the HITECH act. Healthcare data is also governed by laws that vary by state which
specify the protection of HIV/AIDS data. Finally, there are data breach laws which that
also vary by state which might apply in the case of a breach such as Community.11
All
of this creates significant expense and liability beyond the short term ramifications of
the breach. Of course, the potential damage to each of the patients whose data was
stolen is also a key concern.
4
http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-
Reports/NationalHealthExpendData/NationalHealthAccountsHistorical.html
5
http://kff.org/other/state-indicator/total-active-physicians/
6
http://kff.org/other/state-indicator/total-registered-nurses/
7
http://www.aha.org/research/rc/stat-studies/fast-facts.shtml
8
http://www.hhs.gov/news/press/2014pres/08/20140807a.html
9
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
10
http://www.usatoday.com/story/tech/2014/08/18/community-health-systems-hack-attack-45-
million/14226421/
11
http://www.dwt.com/statedatabreachstatutes/
8. Healthcare has always been a major target. As of March 30, 2015, the Identify Theft
Resource Center (ITRC) shows Healthcare breach incidents as 32.7% of all listed
incidents nationwide. Per ITRC, for the first quarter of 2015, over 99,335,375 medical
records have been exposed and compromised in the United States alone.12
Viewed in a
different context, Experian produced the 2015 Annual Data Breach Report which lists
the “Persistent and Growing Threat of Healthcare Breaches” as a top trend for 2015.
Experian further notes that the potential cost of breaches for the healthcare industry
could be as much as $5.6 billion annually.13
All of this demand for healthcare data presents a compelling opportunity for organized
crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting
paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit
card numbers prior to the Target Breach. 14
The Federal Bureau of Investigation (FBI)
issued a private industry notification (PIN) report in April, 2014 that noted cyber-
attacks will increase against healthcare systems and medical devices due to lax
cybersecurity standards, and a higher financial payout for medical records in the black
market.15
12
http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf
13
http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-
experian.pdf
14
http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance-
credentials-bank-accounts-ssns-and-counterfeit-documents/
15
https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf
9. Inside the Healthcare Network
We do not know of standard cyber defense software available from 3r d
parties that
installs and operates on standalone medical devices. By definition, medical devices
are turnkey systems. They go through an FDA approval process16
prior to commercial
release to make sure that the standards of manufacture and product performance
protect consumers and meet intended use. The purchaser or user of these systems
cannot install their local suites of cyber defense. The reasons may include lack of
visibility through a console or otherwise to the basic operating system access
required, lock-up of the internal environment by the original equipment manufacturer
(oem) manufacturer to prevent access, or explicit cautions by the medical device
manufacturer. In some cases we understand that the hospital is concerned about
liability brought on by accidentally affecting the correct operation of the device. The
effect of loading updates and/or additional software is never completely known or
understood.
The FDA understands the problem. FDA guidance makes it clear that updates and
patches to software to protect against viruses, worms and other threats are important
and specifically that they do not have to review or certify these “patches or updates” in
their guidance document for manufacturers on the cybersecurity of networked medical
devices. 17
The goal is that manufacturers must stay focused on developing and
maintaining adequate cyber defense capability into their medical device platforms. On
the other side of the situation, the hospitals are concerned and perhaps evaluating
ways to remediate specific situations without the manufacturer’s consent. This can
perhaps create more problems than it solves. The FDA has stated that they don’t
expect you to have the expertise of the manufacturer and provides direction to work
with them to deal with potential cybersecurity vulnerabilities.18
Hospitals have many departments and most must purchase a variety of highly
specialized, FDA approved medical device equipment. This equipment has network
access and generally is believed to be within a “protected network.” The protection
afforded by the internal network generally includes a firewall, signature-based
protection such as anti-virus software, other endpoint and intrusion security and more.
To be blunt, there are very few diagnostic cyber security tools a hospital can use that
can identify malware resident on the overwhelming majority of these devices. In fact,
even when suspected, most hospital security teams have no idea how to get a memory
16
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/DeviceApprovalsandCleara
nces/
17
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077
812.htm
18
http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm
10. dump from these systems sufficient for analysis and malware diagnosis. These
devices are closed devices, running out of date, closed, oftentimes modified and likely
insecure operating systems such as windows 2000, windows XP or Linux. That’s why
the MEDJACK attack vector presents a highly vulnerable target to attackers on a global
basis. The defenders cannot easily get in to detect or remediate an attack. On the
other hand the attackers have an open door.
So, the strategy behind the MEDJACK attack vector becomes apparent very quickly.
The security gap that makes MEDJACK so appealing is that most of the information
technology cyber defense in the “protected network” cannot run on the medical
devices. Cyber defense can only run on the servers and workstations (personal
computers) around them. One the attacker can get into the network and bypass
existing security they have a time window to infect a medical device and establish a
backdoor within this protected (and safe) harbor.
Some of the more enterprising hospitals have likely tried to install cyber protection on
some of the devices. Most hospital teams, and certainly their administration in the
hospital, are generally cautioned (and concerned) about even the consideration of
loading a piece of software onto the medical devices. Any software beyond a patch or
update supplied by the manufacturer might negatively impact FDA approval. This
situation also has the potential to create additional liability for the hospital. It is a
small step to conceive of a scenario where the loading of additional software by the
hospital, unspecified by the medical device manufacturer, could impact performance or
accuracy negatively and result in patient injury.
“MEDJACK has brought the perfect storm to major healthcare
institutions globally. The health information technology team
is totally dependent on the manufacturers to build and maintain
security within the device. The medical devices themselves just
do not have the requisite software to have any chance of
detecting most of the software payloads delivered by MEDJACK
attack and cannot detect the command and control networks
once they are established. Finally, the standard cyber security
environment set up in the hospital, regardless of how effective
it might be, cannot access the internal software operations of
medical devices. For all of these reasons MEDJACK is very
difficult to detect and remediate.”
-Carl Wright, EVP & General Manager, TrapX Security
11. Compromised devices can include any medical device with internet connectivity. In our
three (3) case studies this included the picture archiving and communications system
(PACS) in one hospital’s radiology department, a medical x-ray scanner in another
hospitals radiology department and several blood gas analyzers in a third hospital’s
laboratory in service to critical care and emergency services.
Note that even after our deception technology detects the MEDJACK within the devices,
that remediation may still be difficult. Complex malware and persistent attacks often
require that cyber security experts have access to the internals of the device itself.
They must be able to access internal memory (they need to extract this in the form of a
memory dump for analysis). This access is to determine exactly the variant of malware
and to develop a plan for remediation in complex situations. This access to internal
memory may not be achieved without considerable support from the manufacturer. Of
course, standard support agreements between the hospital and the medical device
manufacturer pertain to product functionality, but not to infection by the hospital’s
networks and certainly not to remediation and repair in these circumstances.
“Trapx Labs strongly recommends that hospital staff review
and update their contracts with medical device suppliers. The
manufacturer must contractually commit to step up to whatever
cost is required to enhance the cyber defense in these devices.
They must include very specific language about the detection,
remediation and refurbishment of the medical devices sold to
the hospitals which are infected by malware. They must have a
documented test process to determine if they are infected, and
a documented standard process to remediate them when
malware and cyber attackers are using the devices.”
-Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager
TrapX Labs
There are many other devices that present targets for MEDJACK. This includes
diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic
equipment (infusion pumps, medical lasers and LASIK surgical machines), and life
support equipment (heart - lung machines, medical ventilators, extracorporeal
membrane oxygenation machines and dialysis machines) and much more. Most of
these devices run standard Microsoft® Windows and the medical devices’ proprietary
internal software. All of this has been through stringent FDA approval and
12. certification.
Doctors and nurses within intensive care depend on laboratory based medical devices
such as a blood gas analyzer to help diagnose problems and plan patient therapy. This
sort of device is used often in critical care situations. A wrong reading can result in
missing the delivery of required therapy, or perhaps delivering the wrong therapy, and
materially harm the patient. Our research has told us that when compromised, a blood
gas analyzer can become the pivot point to support an extended enterprise attack.
Unfortunately, if the attackers goals change to those of a terrorist, these devices are
wide open for attacks that can compromise device readings and operation, and
threaten the patient’s well-being directly. Further, in time of need, these sorts of
attacks can also be used to shut down critical hospital systems necessary for the
treatment of patients and military personnel.
Recognize that a pivot attack begins with the reconnaissance process. Attackers begin
by looking for the weakest asset in the network for persistence. Medical devices and
the MEDJACK attack vector are clearly the hospital’s “weakest link in the chain.”
13. Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer
Pivot Attack
Our first case study focuses on a global healthcare institution where we provided an
installation of the basic DeceptionGrid system. Our involvement was part of an
evaluation of deception technology. There were absolutely no indicators of malware
infection or persistent threats visible to the customer. The customer had a very strong
industry suite of cyber defense products. This included a strong firewall, intrusion
detection (heuristics based), endpoint security and anti-virus and more. The hospital
information technology team included a security operations command (SOC) team with
several highly competent and experienced cyber technologists.
Within a few days of our deployment of DeceptionGrid we received high level ALERTS to
malicious activity with their networks. Upon inspection, it became apparent that this
was a form of persistent attack and the attacker continued to move through their
networks looking for appropriate targets. DeceptionGrid noted that the source of this
lateral movement was in fact from three (3) of the customers blood gas analyzers
present in the hospital laboratory. These were both infected separately and both had
now enabled at backdoors 19
into the hospital networks.
The lateral movement prior to our involvement enabled the infection of one of the
hospital IT department’s workstations. Confidential hospital data was being exfiltrated
to a location within the European Community. It is uncertain how many data records in
total were successfully exfiltrated.
19
http://searchsecurity.techtarget.com/definition/back-door
14. We found the use of Zeus Malware20
and we also found the presence of Citadel
malware21
being used to find additional passwords within the hospital. The goal was to
gain entry to the hospital systems to acquire data.
It is clear that the PIVOT POINT for these attacks and the initial infection was the blood
gas analyzers. We are completing our analysis, disclosure and discourse with the
manufacturers.
20
http://en.wikipedia.org/wiki/Zeus_%28malware%29
21
http://securityintelligence.com/cybercriminals-use-citadel-compromise-password-
management-authentication-solutions/#.VSFvhfnF80E
15. The most important point of this analysis is not the malware. Malware could be a new
zero day form of malware, or malware several years older and more common. We will
successfully detect both kinds during their lateral movement. The most important
point is that the relatively unprotected aspects of medical devices make successful
attacks upon healthcare networks easier than upon most standard corporate
information technology resources. The medical devices themselves create far broader
exposure. It is the ideal environment upon which to launch persistent attacks with the
end goal of accessing high value data. And this exposure is not easily remediated,
even when the presence of malware is identified conclusively. We will expand upon this
further during our analysis and recommendations.
16. Case Study #2 – Hospital Radiology - The PACS Pivot Attack
Our second case study focuses on a global healthcare institution where, as in the first
case study, we provided an installation of the basic DeceptionGrid system. Once again,
our involvement was part of an evaluation of deception technology. As before, there
were absolutely no indicators of malware infection or persistent threats visible to the
customer. The customer had a typical industry suite of cyber defense products. This
included, as before, an industry standard firewall, intrusion detection (heuristics
based), endpoint security and anti-virus. The hospital information technology team
included a security specialist with strong background and experience.
Almost upon deployment DeceptionGrid generated high level ALERTS that indicated
malicious activity with their networks. This was a form of persistent attack and the
attacker continued to move through their networks looking for appropriate targets.
DeceptionGrid noted that the source of this lateral movement was the picture archive
and communications systems (PACS) that provided the radiology department with the
storage and access to images derived from multiple sources. These image sources
included CT scanners, MRI scanners, portable x-ray machines (c-arms), x-ray and
ultrasound equipment.
The PACS system is central to hospital operations and is linked very directly to the rest
of the hospital for access to vital imagery. This imagery is used for diagnosis and
treatment. Further, ambulatory physicians have access to his imagery through their
EMR systems located within their individual practice office locations. So if the PACS
system is well positioned to be the Pivot point for an advanced persistent attack.
17. The lateral movement prior to our involvement enabled the infection of a key nurse’s
workstation. Confidential hospital data was being exfiltrated to a location within the
Asia Pacific. It is uncertain how many data records in total were successfully
exfiltrated. Communications went out encrypted using port 443 (SSL) and were not
detected by existing cyber defense software.
The attack vector was very simple and basic. After reconnaissance, the attackers sent
targeted email to the hospital. All it took was for one person to click on the link. This
took them to a website which enabled the installation of a Java Exploit which was able
to download onto the workstation, and then spread. Information technology’s cyber
defense detected this, and likely eliminated it, but not before it infected the PACS
systems. As in our first case study, the hospital’s standard cyber defense was unable
18. to scan or remediate anything within the PACS system. So now the persistent attack
can continue as a backdoor was set up through the PACS system. The PACS system has
become the pivot point for the attack across the healthcare enterprise.
19. Obfuscation of Malware in Healthcare Attacks
Tools have evolved to help mask old, easily detectable malware threats as new
malware. This technique is called obfuscating malware. This, in effect, creates new
malware software as the malware is effectively camouflaged and invisible to detection
and defensive techniques.
This strategy does not work as well to attack markets such as financial services and
insurance where the vulnerabilities associated with medical devices do not exist. But
healthcare is a different story. Using MEDJACK as the vector of choice, attackers are
able to effectively remanufacture and redeploy old exploits, even such old malware as
CONFICKER 22
and dozens of others with tremendous impact.
All of this, of course, makes the healthcare institutions more vulnerable. These
exploits root within medical devices in major healthcare institutions and evade most
cyber defense software for extended periods of time. The IT teams believe that the
environment is clear of threats. In fact, these persistent attackers are comfortably
situated within the enterprise and free to exfiltrate confidential patient records, or
worse yet, perhaps, some day to enable harm to fall to patients directly.
Obfuscation techniques we see used by malware in healthcare include:
Polymorphism. Polymorphic malware morphs and changes over time so that it is not
easily detected by anti-malware software. The malicious code can change in a variety
of ways to include how it is encrypted, compressed and even the filename and
extensions to it. The basic functions of the malware will be the same, for example if it
is a password stealer it will continue to function as such, but it causes significant
delay in the time to detection.
Software Packers (Repacking). Packers are normally used by legitimate software
manufacturers to keep proprietary information private while retaining the function of
the software. These software packers are placed around modules of software to
compress and sometimes encrypt their contents. While these can be legitimately used
by software manufacturers, they are very commonly used by malware to hide the
contents of malicious files from cyber defense software scanners. Packers basically
process executable files as they in real-time. Initially the malware is unpacked and
then loaded into memory and run. A file can be packed and repacked many times with
incremental changes to the packing method and to the file inside.
This repacking process produces what appears to be a file that is undetectable by most
signature-based and many heuristics based techniques. The trend today in the
22
http://www.techopedia.com/definition/48/conficker
20. healthcare malware we are seeing is to use this technique so that the attacker can
invest less in creating original malware, but instead remanufacture and repack older
exploits targeted to the MEDJACK vector. Cyber defense software sometimes identifies
packer software but this often creates large quantities of excess false alerts based
upon the legitimate use within the enterprise.
Junk Code Injection. Sometimes it is as easy as inserting “junk code” or extra lines
into the malware program. This in effect can change the signature and make the
malware undetectable.
Modern malware creation tools make this attack on healthcare more challenging.
Imagine a hacker taking a malware program and then, through automation, creating 50
different copies of it, all appearing unique, but delivering essentially the same
functionality. Sandboxing techniques working in conjunction with anti-virus software
can mitigate this to some extent, but not enough. Malware is also developed to work
around this form of detection.
21. Conclusions
In contrast to regular corporate IT networks, healthcare networks are much more
vulnerable to attack. The data stored within healthcare networks remains a primary
target for attackers on a global basis. For all of these reasons and more we expect
targeted attacks on hospitals to increase throughout 2015 and 2016. Further, based
upon our experience and understanding of MEDJACK, we believe that a large majority
of hospitals are currently infected with sophisticated malware that has remained
undetected for months and in many cases years.
The important point of this report is that these vulnerabilities as they exist in medical
devices render many components of the hospital’s cyber security technology useless.
You cannot detect malware on a system which you cannot scan. The primary reason for
this problem is centered on the fact that medical devices are closed systems. As FDA
certified systems, they not easily open for the installation of additional 3r d
party
software by the hospital staff. This makes hospitals on a global basis wide open
targets for attackers using a variety of malware and techniques.
Finally, even when sophisticated attacks are detected by new products using deception
technology, it is still very difficult to remove the malware and blunt the attack. The
outgoing IP addresses can be shut down, but removal of the malware is a tricky
proposition. Hospitals really don’t want to impact the operation of these systems –
they depend on the often on a 24 x 7 basis. They are also concerned about liability.
What happens if the hospital IT teams impact the operation of the medical device and
that results in errant diagnose or therapy? And finally, the infection by malware is so
prevalent that the hospitals will be spending many tens of thousands of dollars with a
variety of manufacturers cleaning the devices and reloading the medical device
software. It’s a perfect storm for attackers and our healthcare institutions are in the
middle of it.
22. Recommendations
Our review of the security infrastructure of studied hospitals provided very valuable
and useful information for us. These findings are supported by TrapX Labs (TSL’s)
research, experience and our constant dialog with other leading security experts on a
global basis. We see multiple areas for deeper and continued research.
In terms of specific recommendations, hospitals and major healthcare institutions
should consider the following:
• Review and update your strategy to rapidly integrate and deploy software fixes
and/or hardware fixes provided by the manufacturer to your medical devices.
These need to be tracked and monitored by senior management and quality
assurance teams.
• Review and update your strategy to procure medical devices from any vendor
only after a review with the manufacturer that focuses on the cyber security
processes and protections. Conduct quarterly reviews with all of your medical
device manufacturers.
• For your existing medical devices, Trapx Labs **strongly** recommends that
hospital staff review and update their contracts with medical device suppliers.
Renegotiate now. If these new services raise operating budgets we believe that
the additional expense necessary and prudent. The manufacturer must
contractually commit to step up to whatever cost is required to enhance the
cyber defense in these devices. They must include very specific language about
the detection, remediation and refurbishment of the medical devices sold to the
hospitals which are infected by malware. They must have a documented test
process to determine if they are infected, and a documented standard process to
remediate them when malware and cyber attackers are using the devices.
• Consider a strategy to review and remediate your existing devices now. We
estimate that over 2/3 of these are likely infected and placing your operation
and patients at risk.
• If you are a healthcare entity within the U.S., it is very possible you will find
exfiltration of patient data (more than 500 patients affected) within the
notification trigger of HIPAA. Compliance and information technology must
work together to document these incidents, provide the notice and follow-up as
required by law. There are similar compliance requirements in many countries
around world – this advice applies on a global basis.
• Hospitals in the U.S. are very likely primary targets over time for HIPAA
compliance audit. Given the extreme risk of data breach that hospitals face, we
recommend bringing in outside consultants to review your HIPAA compliance
program in 2015.
• Avoid allowing any of these devices to provide USB ports for staff use without
23. additional protections. Consider the one-way use of new memory sticks only to
preserve the air gap. Otherwise one medical device can infect similar devices.
• Favor signed software – this is a mathematical technique used to validate the
authenticity of the software.
• Run security tests to discover vulnerabilities and help with the management of
your medical device manufacturers.
• Implement advanced firewalls to resist hacker attacks and only allow specified
IP addresses in or out. Most firewalls are incorrectly configured and don’t have
the latest features and defense available. It takes a security expert to
understand the best ways to configure the latest firewalls – this is not business
as usual for your information technology team.
• Protect the project management interface on medical devices from inside
attackers and only allow limited access to these devices based upon need.
• Utilize a technology designed to identify malware and persistent attack vectors
that have already bypassed your primary defenses. Deception technology can
provide this advantage for your security operations center (SOC) team.
• If you are a smaller hospital or clinic obtain the services of a managed security
service provider (MSSP) to manage these challenging security issues on an
ongoing basis.
24. Introducing Deception Technology for Healthcare
Deception technology is a new category of cyber security designed to meet head-on the
threats of malicious software, targeted attacks, zero day exploits and other
sophisticated attacks. DeceptionGrid automates the deployment of a network of
camouflaged malware traps that are intermingled with your real information
technology resources. The traps appear identical in every way to your real IT assets.
Once malware has penetrated your enterprise, the attackers move laterally to find high
value targets. Just one touch of the DeceptionGrid sets off a high confidence ALERT.
Real-time automation isolates the malware and delivers a comprehensive assessment
directly to your SOC team.
Now the basic pattern of malware deployment and privilege escalation activity is
disrupted. At the first moment of reconnaissance and lateral movement the APT is
identified positively. Automation adds powerful forensics so that your SOC team has an
almost immediate understanding of the nature of the attack. You can begin rapidly to
implement the best path for remediation and removal.
25. DeceptionGrid – Breaking the Intrusion Chain
The TrapX DeceptionGrid™ now makes it possible break the intrusion chain. Attackers
map the network and move laterally. Just one touch of the DeceptionGrid sets off a
high confidence ALERT. Real-time automation isolates the malware and delivers a
comprehensive assessment directly to your SOC team.
26. DeceptionGrid – Core Functionality
DeceptionGrid has been designed from the beginning to fit efficiently and securely into
healthcare operations. DeceptionGrid includes Malware Trap Sensors and Network
Intelligence Sensors. Our Security Intelligence Management provides Integrated Event
Management and fully automated Forensic Analysis.
This automated analysis enables the SOC to move faster yet at the same time reduce
costs as excess escalation is no longer required. Further, DeceptionGrid’s mechanism
of generating an alert is not based upon a probabilistic event or clustering around
adjustable thresholds. These are very high confidence events. These alerts are
directly generated and triggered by explicit contact with our Malware Trap Sensors.
DeceptionGrid includes important core functionality to support your cyber defense.
This includes:
Automated Deployment of Camouflaged Malware Traps
The platform scans the existing network and creates a camouflaged network of
emulated systems, including servers, switches, databases, and applications,
interleaved with the real assets.
Sandbox Analysis
Payloads affecting these malware traps are immediately inspected for known
behaviors, such as a search engine crawler, and any unknown activity is transferred
and isolated in a sandbox server. As soon as Zero-Day malware starts executing within
the sandbox, the platform’s forensics server examines it and builds a detailed model of
the exploit architecture in real time, with no added expertise needed from security
personnel. This radically reduces the time and effort required to identify, analyze, and
remediate threats. DeceptionGrid produces a level 3 analysis. This includes both a
static and dynamic analysis, profile and signature set.
Integrated Event Management
The information produced in this automated analysis is then pulled into the platform’s
management system, tagged with a distinct event ID, and stored within an integrated
event- management database. This actionable threat intelligence can be shared or
integrated with customer’s existing security systems in the network.
Threat Intelligence
DeceptionGrid’s business-intelligence engine builds a profile of the attack vector and
performs root-cause analysis on the event. The engine then correlates this information
with outside information from a fully integrated threat-intelligence feed.
Outbound Packet Inspection (BOTNET Detection)
DeceptionGrid also provides packet inspection of outbound traffic to identify malicious
27. behavior on existing servers. DeceptionGrid uses intelligence from the malware traps
to target specific behaviors and components, and to spot lateral movement of complex
threats. This sharing allows the engine to catch more infected assets before they
spread. This sharing also adds greater scalability and efficiency to the system, and
avoids many of the performance and latency problems associated with deep packet
inspection technology.
28. DeceptionGrid – Key Components
These are the key components in a system deployment:
Malware Traps
A mesh of virtual decoy malware traps lure and divert APT and Zero-Day attacks away
from real hosts. This grid of decoy malware traps runs low-level emulations of many
real-life systems in the network to present attackers with a high-fidelity emulation of
reality. Our virtual network of malware traps undetected Zero-Day malware before it
can infect real IT assets.
Management Dashboard
A dashboard with fully featured sandbox capabilities allows payloads captured by
DeceptionGrid sensors to execute for real-time forensics investigation. An automated
forensics engine examines payload as it executes in real time within the sandbox to
identify and catalogue unique behavior and attributes of Zero-Day activity. Event data
is pulled into a comprehensive event management database.
Business Intelligence Engine
A business intelligence engine takes event data and builds profiles to detect and
prevent future attacks. A threat intelligence feed layered into event analysis is
integrated directly into the management system, enabling the attribution and creation
of topology maps. This rich data and intelligence analysis allows for swift remediation
of known attacks against IT systems.
DeceptionGrid Platform
Users can deploy the TrapX platform in the cloud or on their premises. The platform is
fully integrated and extensible. All communications between sensors and the
management platform are secured by an encryption protocol that allows real-time
updates without any kind of inbound firewall connection.
“Detection is a binary event – not probabilistic. There is
no cloaking available to sophisticated attacker that
enables them to violate the integrity of the detection.
There are no false alerts. Any cyber event that touches
the interlaced network of virtual “decoy” computing
resources in DeceptionGrid is by definition malicious
and unauthorized activity and immediately alerted to
your security team.”
-Yuval Malachi, Co-Founder and CTO, TrapX Security
29. DeceptionGrid - Benefits and Value for Healthcare
Deception technology brings strong benefits to our healthcare customers. We address
key pain points within their existing cyber defense strategy. Some key value points
include:
• We detect mid-point VLAN movement by malware in real-time which is unseen
by other cyber defense. We monitor and protect these areas. This enables us to
detect the movement of malware emanating from medical devices which do not
run or allow scanning by your standard cyber defense suite. This ultimately
reduces the risk of economic loss, impact to business operations and threats to
patient well-being.
• Our technology detects the movement of advanced malware almost immediately.
We dramatically reduce the time to breach detection for the most sophisticated
zero day events, advanced persistent threats (APTs) and other malware. The
longer an attacker has access to your internal hospital networks the greater the
probability of severe economic and operational impact. Reduction in time to
breach detection is a critical and important metric.
• We generate a small number of highly accurate and actionable alerts.
Important events are not missed or ignored by your security operations
command (SOC) team. This reduces the risk as you can now more rapidly detect
and defend against these complex threats to your hospital. No big data, no need
to process thousands or millions of alerts. And no missed alerts.
• We identify malware within the VLAN and then we automatically deliver a
complete static and dynamic analysis. This provides your SOC team with a
complete level 3 analysis without extensive manual processes. This helps
reduce the time for your SOC team to determine appropriate action.
• Our deployment is automated, simple and very fast. Our automation reduces the
investment required to protect the entire enterprise. This makes it easy to plan
for rapid deployment.
• Our Threat Intelligence Center automatically flows information from discovered
threats across our network so that our customers can immediately benefit.
• DeceptionGrid seamlessly integrates into your existing hospital network
architecture without requiring any changes to configuration or topology. This
saves time and resources upon the initial implementation and over the life cycle
of system support.
31. Special Supplement - Wireless Access Brings Risk to Patients
Medical devices are worn, carried or embedded for ongoing medical therapy. Many of
these are connected via wireless and represent new vectors for attack. Unfortunately,
this attack vectors are not about financial gain. This is more about a direct threat to
targeted personnel by organized crime, terrorists or nation states.
We did preliminary research into the wide range of medical IoT devices used with
ambulatory patients to include pacemakers, insulin pumps, drug pumps, deep brain
neurostimulators, gastric stimulators, cochlear implants, vital sign monitoring and
more. We also identified foot drop implants as a potential area of investigation. The
goal was to understand and document attack vectors, assess the relative risk to
patients.
The New Zealand hacker and computer security expert, Mr. Barnaby Jack, is widely
credited with documenting initial attack vectors for the hack of insulin pumps and
32. pacemakers. Mr. Jack’s testimony23
in this area may have convinced the U.S. General
Accounting Office (GAO) to recommend that the FDA improve information security for
medical devices. We have confirmed these attack vectors as presenting potential risks
for patient safety.
23
http://www.thedailybeast.com/articles/2013/07/26/the-good-hacker-barnaby-jack-
dies.html