Hackers Cashing In On Healthcare Industry Security Weaknesses

RSAC 2020 medical device

Between ransomware attacks on healthcare devices, malware-laced “medical” apps, and fraud services available on the dark net, attackers are pushing the boundaries on targeting healthcare.

SAN FRANCISCO – Cybercriminals are pushing boundaries in looking for new ways to cash in on the healthcare space – whether it is persuading desperate patients to download health information apps that actually infect their devices with malware, attacking hospitals with ransomware attacks or even selling patients fraudulent insurance or medicine on illicit online markets.

The healthcare industry is an extremely lucrative market for cybercriminals, researchers say here at RSA Conference 2020, which takes place this week. Not only is the medical space a treasure trove of personal identifiable information (PII) collected from patients, but medical device manufacturers and hospitals lack basic security hygiene, experts say. And, from a patient standpoint, the industry is also filled with people who may feel vulnerable or desperate in their search for medical assistance – making them easy preys for scams.

Medical experts and patients need to be aware of  new emerging types of risks, said Aamir Lakhani, senior researcher at Fortinet, in a Tuesday session at RSA. “Cybercriminals don’t care if you have had medical problems, they just want to make money, and they’ll target you,” said Lakhani. “We’re seeing new threats and techniques embedded IoT devices in the medical space.”

[For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.]

The current healthcare landscape has already been marred by several large data breaches in 2019. The largest breach was of AMCA, impacting 25 million patients, while other high-profile breaches have included health insurer Dominion National (2.96 million patients) and UW Medicine (973,024 patients).

Databases from these breaches that include medical information, healthcare insurance data, credit card numbers and cell phone numbers are available via illegal online marketplaces. In fact, after Lakhani contacted a seller of one of these databases, the seller showed him his own compromised data.

Perhaps more dangerous are ransomware attacks, which have caused disruption of operations at both hospitals and healthcare networks, including the DCH Health System and Hackensack Meridian Health (both also paid out the ransom to cybercriminals).

“The PII [from these databases] is extremely valuable – they include names, addresses, anything needed to open up a credit card, a car lease, or a cell phone account,” Lakhani said.

But beyond breaches, cybercriminals are looking to other attack surfaces in healthcare. Some of these stem from vulnerabilities in devices themselves, including potentially critical ones such as anesthesia machines and emergency responder communication systems.

For instance, Lakhani pointed to a critical flaw (CVE-2019-10950) discovered in the Fujifilm FCR Capsula X/Carbon X, which is used for diagnostic imaging tools like X-Rays. This critical flaw could allow a remote attacker to bypass security restrictions (caused by improper access control by the insecure telnet services) by sending a specially-crafted request. The flaw allows attackers to gain access to the underlying operating system – potentially changing results on the X-Ray, and causing a doctor who is viewing the X-Ray results give the wrong diagnosis to a health issue.

Lakhani said he also discovered vulnerabilities in an (unidentified) smart home glucose monitor, which measure glucose levels on diabetes patients and lets them monitor their levels. Upon closer inspection of the glucose monitors, he found that it communicates with a smartphone app using NFC – but that communication has zero authentication, meaning that anyone in range could pair up with the device and view the data being transmitted between the device to the smartphone (which includes when the monitor’s being worn, when it’s expiration is, what the subject’s glucose levels are, and more). Lakhani said that this vulnerability has been disclosed to the devices’ manufacturer.

Medical device flaws are nothing new – Medtronic insulin pumps and defibrillators previously made news having critical vulnerabilities – but researchers say that as more and more devices become connected, these types of threats will only continue to escalate.

Cybercriminals are also playing into patients’ needs for medical assistance with scams, sketchy sales online and malicious apps. For instance, many cybercriminals are looking to cash in on the high costs associated with treating diabetes. While laws are making it more affordable, one 10 milliliter vial of insulin costs $20 with insurance in the U.S. ($400 without insurance).  The same amount of insulin could be found for as little as $2 from disreputable resellers online. However, buying from illicit markets comes with risks, said Lakhani, such as dangerous side effects or even potentially being sold the wrong medicine. Cybercriminals are also trying to profit from patients looking for cheaper alternatives with insurance fraud services and even offering up fake doctor’s notes for taking the day off (complete with a call center in case bosses call the “doctor” to double check).

During his research, Lakhani also discovered various apps claiming to help assist patients with various diseases. For instance, when looking up a treatment for diabetes, he found an app that purported to give patients more information about treatment. But after installation, the app asked for permissions for SMS, GPS, contact information and more. Upon further inspection, in fact, he found that the the app was signing victims up for premium services that charged phones hundreds of dollars.

Another diabetes app (under the guise of giving information about diabetes medicine) was taking cleartext data and transmitting it to a server in Asia; while still another (a “blood sugar testing app”) was serving up adware and attempting to access users’ device microphones and GPS.

Looking ahead, Lakhani said that hospitals, medical device manufacturers and healthcare systems need to better collaborate on security – especially as hospitals adopt more internet of things (IoT) devices while failing to ready themselves for the onslaught of security and privacy challenges that come with medical connected devices.

medical device security

Penny Chase at RSAC 2020.

Penny Chase, the information technology and cybersecurity integrator in the Information Technology Technical Center at MITRE, agreed, saying at an RSA session that medical security needs to be a shared responsibility model, between healthcare organizations, medical device manufacturers, clinicians who are operating the systems, and patients.

Specifically, from a medical device perspective that could include steps like addressing security during the design and development of medical devices, voicing manufacturer responsibilities and fostering a “collaborative and coordinated approach to information sharing and risk assessment.”

“If those flaws are not remediated and taken care of, [systems] can be potentially exploited and that can result in patient harm or pivot as a way for an adversary to get onto a hospital’s network,” said Chase. Ultimately if not addressed, security issues can “compromise of the confidentiality and integrity of healthcare.”

Suggested articles