For doctors, X-rays and the machines that produce them are powerful tools for diagnosing an injury or an illness.

For thieves, X-rays can be the starting point for identity theft. An X-ray includes a patient’s name, date of birth, the hospital name, and sometimes an account number. A cybercriminal can guess the city of residence based on this information, and from there can look up property tax and voting records.

In a new report on the state of healthcare data security, Malwarebytes reports that cyber criminals can use patient data to create “synthetic identities—which are new, unique identities built from amalgamations of data taken from various individual records.” They can use this new identity to buy medical equipment, prescription drugs, get medical services, or even “combine a patient number with a made-up name of a health provider to file medical insurance claims.”

Cyber criminals have even used x-ray machines themselves to launch malware attacks. In 2018, Symantec found that a group called “Orangeworm” had been deploying the Kwampirs backdoor onto X-ray and MRI machines.

This is only one of the terrifying findings in the new report from Malwarebytes, “Cybercrime tactics and techniques: the 2019 state of healthcare.”

Adam Kujawa, the director of Malwarebytes Labs, said that hospitals offer so many potential entry points for cyber criminals.

“People could be sitting in a parking lot of hospital and set up a fake access point to the hospital’s free Wi-Fi,” he said. “Or you can try to breach the actual hospital network, just sit in the ER waiting room with your computer.”

SEE: Securing IoT in your organization: 10 best practices (free PDF)

Physical access is easy also, given all the people wandering around hospitals with carts and laptops.

“Let’s say a doctor came in with a cart and was checking out your arm and while he’s looking at you, I’m putting a USB drive into his laptop and installing a keylogger,” Kujawa said.

In addition to the physical vulnerabilities in a hospital setting, the nature of healthcare systems makes them ideal targets due to:

  • Millions of data points

  • Large number of endpoints

  • Prevalence of legacy systems

  • Insecure apps

  • Low IT budgets for security

The new report looks at what tools cyber criminals are using to steal personal health information and explains why healthcare organizations are irresistible targets.

Triple threat: Emotet + TrickBot + Ryuk

Malwarebytes reports that cyber criminals most often use Trojan malware to attack healthcare organizations. Threat detections have gone up from 14,000 endpoint detections in Q2 2019 to more than 20,000 in Q3 – an increase of 45%. Emotet was the biggest problem at the start of the year while Trickbot has been more active in the second half of the year.

The report found that not only have many hospitals not patched the SMB vulnerabilities that WannaCry used, but many of the Trojan attacks deliver ransomware payloads. Malwarebytes analysts found that “emotet not only launches TrickBot as a secondary payload, but both Emotet and TrickBot often drop Ryuk ransomware in a combination attack.”

The report authors looked at regional differences in malware activity. The West had the highest number, with nearly 24,000 threat detections over the last year, or 42% of total US healthcare detections. The Midwest had 36% of US healthcare detections. The top five western states targeted were: Idaho, California, New Mexico, Nevada, and Colorado. In the midwest, Illinois, Ohio, Wisconsin, Michigan, and Kansas had the most attacks.

Regardless of the location, healthcare organizations share all the same vulnerabilities that make them prime targets: lots of PHI, low security, and multiple entry points.

A treasure trove of personal health information

When hackers steal patient data, they get more than the standard set of personally identifiable information (PII): complete name, date of birth, Social Security number, address, and phone numbers. Thieves also get data that is only available from healthcare providers: health conditions, scans, blood test results, family and/or genetic history, drug prescriptions, and physicians’ diagnoses. As the report authors point out, “unlike credit card information, one’s birth date, SSN, and medical history are irreplaceble.”

Legacy systems everywhere

The Malwarebytes authors are blunt on this one: The sustained use of legacy and unsupported systems is considered one of the top reasons why healthcare remains an easy target for cyberattacks.

One component of this problem is the slow process of upgrading systems. Another element is the fact that many devices aren’t PCs and cannot be upgraded, due to hardware limitations or the end of firmware support.

Kujawa said the largest barrier to better security is the IT budget. “The biggest issue is that they don’t have the funds to do what they need to do to protect themselves,” he said.

The report is clear on this topic as well:

“… the primary budget decision makers in the medical field—especially its board of directors and chiefs of staff—must divert some funding for security staff, equipment, training, and defense software and services, otherwise continue to be picked off by opportunistic threat actors.”

If hospitals don’t start finding more money for IT staff and security budgets to speed up the upgrade process, “…patients, staff, and the business itself will continue to take the full brunt of cyberattacks.”

Large number of endpoints

The generally accepted “bring your own device” approach is bad enough for securing a hospital environment. The security risk gets even worse when patient and visitor devices and the medical Internet of Things devices are added into the mix. Malwarebytes considers IoT devices, especially those belonging to staff as inherently insecure because:

  1. They are often created by developers who are not trained in producing secure code.
  2. They have not baked security into the design of the product itself.
  3. They are unable to be protected by security software because they are too specialized.
  4. They are a personal device not protected by network or endpoint security.

While the medical IoT has the potential to improve patient care, connected devices like Wi-Fi enabled infusion pumps to smart MRI machines represent a substantial risk to a network that contains EHR and personal health records. These devices increase the attack surface dramatically.

Unsecure apps

This is another instance where increasing convenience for patients and doctors also increases security risks. Malwarebytes reports that apps expand the attack surface in several ways:

  • Apps interface and communicate with the overall security infrastructure of the associated healthcare organization
  • The presence of advertising or analytics trackers increases processing time, which could increase the app’s vulnerability to breach
  • Not all medical apps are required to be HIPAA compliant

Finally, because many healthcare apps share data with third-parties, “there’s a chance that cybercriminals needn’t even breach the program, but instead can let the data come to them.”

Securing the next wave of digital tools

If hospitals can’t keep X-rays and EHR records secure, what does that mean for even more sophisticated technology in healthcare settings? The most sobering part of the Malwarebytes report is the “Future Concerns” section.

Elon Musk’s company Neuralink is working on technology to link the human brain to a computer – Human Brain/Cloud Interface (B/CI). The original intent is good – helping people deal with brain and spinal cord injuries. Testing this interface in the lab is one thing but connecting such a system to a hospital systems that use legacy software is a completely different challenge.
As the Malwarebytes authors ask: Is it even possible to secure an Internet-connected human brain? If cyber criminals can put x-ray machines to nefarious use, they certainly would would want to weaponize more advanced healthcare technology.

This chart shows the activity of the top 10 threat families against medical organizations, according to Malwarebytes detections over the last year. There were massive spikes of Emotet, which Malwarebytes classifies as a Trojan, occurred in late 2019 and throughout Q1 2019.
Image: Malwarebytes report, Cybercrime tactics and techniques: the 2019 state of healthcare