Hackers Attack Medical Equipment

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
In a blog post today from Symantec, they announce that they have identified an attack group named "Orangeworm" has been deploying virus' against the healthcare sector and related industries. 40% of Orangeworms victims have been within the healthcare industry, but they aren't just going for PCs, the Kwampirs malware was found on X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

Scary stuff, with as tech heavy as the healthcare system is, aside from patient, employee, and hospital records, the thought of the data or control they could get from a piece of medical equipment in unsettling to say the least.

Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares. While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.
 
  • Like
Reactions: WhoMe
like this
Yeah, morally this is way past the limit anyone could stomach. Well, I guess not since someone did it.
 
Fire hospital it admin

Completely non acceptable. Machines which can put out lethal doses of radiation and burns should be completely isolated. Records transfer should be done via CD or DVD burner. Info only goes out that way.
 
Last edited by a moderator:
There would literally be no one on hand that could diagnose or deal with any type of tampering done to the software of a medical machine. The Specialists required to fix these issues would have to be specially trained for that unique debug. Some of that hardware goes for half a million dollars and could potentially be life threatening given certain circumstance. This is no joke.
 
  • Like
Reactions: mord
like this
DigitalGriffin said:
Fire hospital it admin

Completely non acceptableachines which can put out lethal doses of radiation and burns should be completely isolated. Records transfer should be done via CD or DVD burner. Info only goes out that way.
Click to expand...

I mean, that's kind of a fair point. Legacy machines running XP should not be connected to a network connection in the first place., or on an isolated LAN subnet.
 
You can thank the FDA for the lag in tech in the medical field. For medical devices if you want to upgrade to a new operating system it can cost hundreds of thousands of dollars and can still take a long time for it to be approved.

I’m not against the FDA because I do believe in their role and value, but stuff like this always pisses me off about them.
 
BREAKING NEWS: Malware turns dental x-ray machine into irradiating death ray. More at 10
 
How about the machines are not accessible from the internet....
How about the makers of said machines do some QA and hire external companies to test their shit insecure software?

Sure, this is a dick move by hackers... but lets also blame the makers of said devices for being so lax and hospitals for not securing their systems which we are seeing over and over and over get exploited..
 
MrGuvernment said:
How about the machines are not accessible from the internet....
How about the makers of said machines do some QA and hire external companies to test their shit insecure software?

Sure, this is a dick move by hackers... but lets also blame the makers of said devices for being so lax and hospitals for not securing their systems which we are seeing over and over and over get exploited..
Click to expand...

Nothing is hack proof that is connected to the web. I mean have you ever sat and looked how MANY open ports there are on windows just for basic services? If you don't believe me, open windows firewall settings sometime. And if you try to shut them down windows Bitches and Moans how things will not work. Some network services will even shut down windows if you stop them. Windows even says in their license agreement, "Not to be used for real time or mission critical services." And you can't sue MS if it fails under such conditions. That should tell you something right there.


But if I hack is found, I believe it the responsibility of the medical supplier to fix it under warranty terms.
 
MrGuvernment said:
How about the machines are not accessible from the internet....
How about the makers of said machines do some QA and hire external companies to test their shit insecure software?

Sure, this is a dick move by hackers... but lets also blame the makers of said devices for being so lax and hospitals for not securing their systems which we are seeing over and over and over get exploited..
Click to expand...

But muh Internets of Things!!!
 
MrGuvernment said:
How about the machines are not accessible from the internet....
How about the makers of said machines do some QA and hire external companies to test their shit insecure software?

Sure, this is a dick move by hackers... but lets also blame the makers of said devices for being so lax and hospitals for not securing their systems which we are seeing over and over and over get exploited..
Click to expand...

Yes, lets not forget to blame everyone else too.
 
What you're going to have to do is start treating critical infrastructure the same way you treat classified networks, disconnect them from anything connected to the internet, and have strict controls on data transfer. A PITA? Yes. Secure? Also yes.
 
Folks need to keep in mind that the Internet used to be a friendly place where security wasn't a big concern. Given the long govt approval process, stuff running XP was likely designed in that era. Medical IT network admins need to deal with the fact that a lot of their stuff can't be allowed to contact the outside world and the outside world can't be allowed to contact the network these machines are on.

Plus the medical community is under government mandates to computerize their records and equipment so information can more easily be shared between doctors, pharmacists, and insurance companies.

Probably not a fun time to be a IT person in the medical industry.
 
i see alot of "go for their head" posts but i feel a important note must be made for wheither they are intentionally targating medical equitment vs weither there program just does better on medical equitment due to the older software
 
Another thing to consider is when it comes to medical devices is that in hospitals and labs, most IT departments refuse to touch computers sold by a medical device vendor. Even though the hospital / lab purchased it, IT is like nope, we ain’t supporting it.

A medical device company should not have to be responsible for the security and network. Even windows updates can be an issue.

So don’t go blaming the companies for this shit. At least, not solely.
 
cdabc123 said:
i see alot of "go for their head" posts but i feel a important note must be made for wheither they are intentionally targating medical equitment vs weither there program just does better on medical equitment due to the older software
Click to expand...

Last year Greys Anatomy did an EP on this subject. They hijacked their network debilitating the hospital, then they extorted 20mill. I can't see why hackers would attack a hospital for any other reason. Hospitals have traditionally been safe harbors an extension of wartime. Its pretty low even for criminals.
 
WhoMe said:
Because it's so fun to make sick people suffer more. Find the bastards, put 'em in one of the compromised machines...see how they like it.
Click to expand...

You're not seeing the big picture. The point of these attacks are more sinister and calculated than just simply fucking with average citizens. No, these systematic attacks you're seeing are political in nature because the information they're mining from these machines can be used against individuals who are in a position of power or can mandate legislation. Having access to their medical history records can be used to blackmail or extort a politician, lawyer, CEO, server infrastructures, or if you're just a disgruntled boyfriend and with insecurity and jealousy issues. I would not be surprised if the malware itself (and god I hope I'm wrong) originated here in the U.S by political opponents seeking to gain advantage on the other side. Data is the #1 commodity these days gentleman, whoever controls the information of data wins the geo-political board game. If it wasn't for the Stuxnet Virus and Vault 7, I would have called all bullshit myself. My point is, it doesn't matter who did it, but the fact that it's already being done is conclusive evidence that this is the reality we live in now.
 
Ski said:
You're not seeing the big picture. The point of these attacks are more sinister and calculated than just simply fucking with average citizens. No, these systematic attacks you're seeing are political in nature because the information they're mining from these machines can be used against individuals who are in a position of power or can mandate legislation. Having access to their medical history records can be used to blackmail or extort a politician, lawyer, CEO, server infrastructures, or if you're just a disgruntled boyfriend and with insecurity and jealousy issues. I would not be surprised if the malware itself (and god I hope I'm wrong) originated here in the U.S by political opponents seeking to gain advantage on the other side. Data is the #1 commodity these days gentleman, whoever controls the information of data wins the geo-political board game. If it wasn't for the Stuxnet Virus and Vault 7, I would have called all bullshit myself. My point is, it doesn't matter who did it, but the fact that it's already being done is conclusive evidence that this is the reality we live in now.
Click to expand...

See facebook
 
  • Like
Reactions: Ski
like this
Ski said:
You're not seeing the big picture. The point of these attacks are more sinister and calculated than just simply fucking with average citizens. No, these systematic attacks you're seeing are political in nature because the information they're mining from these machines can be used against individuals who are in a position of power or can mandate legislation. Having access to their medical history records can be used to blackmail or extort a politician, lawyer, CEO, server infrastructures, or if you're just a disgruntled boyfriend and with insecurity and jealousy issues. I would not be surprised if the malware itself (and god I hope I'm wrong) originated here in the U.S by political opponents seeking to gain advantage on the other side. Data is the #1 commodity these days gentleman, whoever controls the information of data wins the geo-political board game. If it wasn't for the Stuxnet Virus and Vault 7, I would have called all bullshit myself. My point is, it doesn't matter who did it, but the fact that it's already being done is conclusive evidence that this is the reality we live in now.
Click to expand...

Dude, there are a lot of easier ways to mine data and this is not one of them. When you fuck with a hospital like this you are putting lives on the line, ie. welcome to becoming murders? It's a lot easier to mine FB.
 
thesmokingman said:
Dude, there are a lot of easier ways to mine data and this is not one of them. When you fuck with a hospital like this you are putting lives on the line, ie. welcome to becoming murders? It's a lot easier to mine FB.
Click to expand...

You're under the impression the individuals responsible have a conscious.
 
  • Like
Reactions: Wild1
like this
Ski said:
You're under the impression the individuals responsible have a conscious.
Click to expand...

Maybe you are that clueless? Being a hacker is one thing, but swinging it into murder potentials means... you think you're gonna get away with it?? It's not like there isn't an easier way of getting data w/o potentially killing a shit load of ppl now is there?
 
thesmokingman said:
Maybe you are that clueless? Being a hacker is one thing, but swinging it into murder potentials means... you think you're gonna get away with it?? It's not like there isn't an easier way of getting data w/o potentially killing a shit load of ppl now is there?
Click to expand...

Oh you sweet summer child you. You're adorable.
 
  • Like
Reactions: Wild1
like this
Ski said:
You're not seeing the big picture. The point of these attacks are more sinister and calculated than just simply fucking with average citizens. No, these systematic attacks you're seeing are political in nature because the information they're mining from these machines can be used against individuals who are in a position of power or can mandate legislation. Having access to their medical history records can be used to blackmail or extort a politician, lawyer, CEO, server infrastructures, or if you're just a disgruntled boyfriend and with insecurity and jealousy issues. I would not be surprised if the malware itself (and god I hope I'm wrong) originated here in the U.S by political opponents seeking to gain advantage on the other side. Data is the #1 commodity these days gentleman, whoever controls the information of data wins the geo-political board game. If it wasn't for the Stuxnet Virus and Vault 7, I would have called all bullshit myself. My point is, it doesn't matter who did it, but the fact that it's already being done is conclusive evidence that this is the reality we live in now.
Click to expand...
Doesn't matter the motive(s) (for purposes of punishment)...and how many groups are doing it for their own purposes? The result is it hurts people. E.g. If some competing corporation was doing this to gain an edge in sales...well then the people in the corp should be made to use the machines they sabotaged before being turned into corpses (and I oppose the death penalty BTW so this is very slightly exaggerated for effect...locking them up in a small windowless prison cell with rats as their only company for life would be fine). But this is about more than the data, it's also the sabotage of equipment (think Stuxnet).
 
  • Like
Reactions: Wild1
like this
Sadly until not that long ago the big hitters in the medical device market where shipping some fairly old crap. Hopefully hospitals with equipment that will still be good for years find the budget to upgrade the machines running things at least. Still it will take years to get rid of all the Windows 2000/XP crap in that market.

Most of the players have started to come to their senses.. and started moving away from windows for such stuff.

Fujifilm announced a partnership around a year ago with SUSE and announced they will be using "SUSE business critical" in their systems.
GE Healthcare had been working with red hat and where still shipping crap windows stuff. Over the last 6 years though they have been working on their own Linux distro (a spin of Scientific Linux, which itself is mostly a spin of red hat)... they are using HeliOS now on new gear. (based on this article GE plans to switch a lot of equipment already out their over)
http://news.fnal.gov/2017/02/scientific-linux-created-physics-now-used-medicine/
HELiOS linux (Healthcare Enterprise Linux Operating System)
 
Last edited:
The interesting thing with this is there's no simple fix for this and blaming IT or even companies for these things occuring is being naive and simplistic. As an administrator who works in the energy industry I look after our entire control and monitoring system which is run on Windows XP and Server 2003 (unpatched) or worse and I can tell you it's endemic to capitalism and nothing to do with specific people or companies. When you talk about replacing the OS, we're not talking about just doing a RAM upgrade and format and reinstall, or heading down to Best Buy to pick up a new $300 laptop just because Microsoft wants to slap some more telemetry in thier OS, we're talking about a million dollars per DEA because the control cards are ISA or don't have drivers for anything newer than a 15 year OS. Hell I've just built half a dozen 486DX4-100 machines that run our turbines out of spares so we can keep running and not spending 10 million each to replace. The amount of sleep I loose trying to hold our environment together with spit and twigs so that a customer doesn't go somewhere else to save $1 a day can't even be counted.

My question is this; are you willing to pay 10 times more on your power bill so that Microsoft can put a bunch of bullshit telemetry and Candy Crush on every workstation, or have Linux with the tiny pool of support people pushing pay rates through the roof on demand (specifically if you aren't a Linux admin ;) ).

As for not connecting things to the internet, there are a massive range of issues with that, we have a network spread over thousands of miles and the cost to run private microwave connections over less than a dozen sizes is insane, let alone the dozens and dozens of remote locations currently serviced by cellular and satellite, we also don't have the funds to put an IT person at every site to support the system or drive out to each size (which could be 1000+ miles away), so remote admin is the only feasible option.

I'm happy for anyone to come along and say 'I'm a doctor and I'll gladly give up my million dollar home, my Audi, my wife's BMW and drinking habit, and private school for my 2 children' or 'I'm a consumer and security of our environment is my number one priority, please put my bills up by 7 times to ensure Microsoft can harvest all my information', but as that's not going to happen in a capitalist society, so you're going to have to buckle up and have this keep happening
 
Last edited:
The equipment in the radiology department can also be dangerous to the patients.

Aside from radiation-induced injury to DNA, a CT can cause skin burns if the machine continues to emit radiation for longer periods of time over the same body part. And MRI is essentially a microwave - though it would take the entire length of a scan to try to do thermal damage.

That said, you'd need pretty advanced knowledge of how these scans are acquired and the inner workings of the machine -- and then you'd have to hope the technologist didn't realize what was going on (easier to mask in CT than MRI, since the RF pulse is audible).
 
For all of you saying "disconnect it from the internet then its secure" that is false. Computers that are offline, in faraday cage, have been hacked through heat signature. Lots of things can be done to intercept electronic signals. Of course screwing medical patients is bad but some of you need to put the pitchfork down. What is hacking? What defines a "hacker"? Capital punishment for computer crime? That's as bad as executing people for drug use.

I agree that IT admin needs to be fired at the very least. I have HealthIT training and all they teach you is a little sql and what all the machines are. Whoever did this was much more skilled than the fool of an admin.

Same thing has happened at airports.

http://www.militaryaerospace.com/articles/2015/03/atc-cyber-security.html

Most of the malware being used by these hackers was developed by the US government and leaked, you can view the code on wikileaks.

Let's hear everyone call to hang the government! They are the real mailcious hackers.

ps, the leak happened during the hussein presidency.
 
masquap said:
I'm happy for anyone to come along and say 'I'm a doctor and I'll gladly give up my million dollar home, my Audi, my wife's BMW and drinking habit, and private school for my 2 children' or 'I'm a consumer and security of our environment is my number one priority, please put my bills up by 7 times to ensure Microsoft can harvest all my information', but as that's not going to happen in a capitalist society, so you're going to have to buckle up and have this keep happening
Click to expand...

Honestly, many (most?) hospitals aren't that far behind -- we're on Windows 7 and the hardware we're using is pretty modern.

Aside from xray machines, for which there's really nothing all that new or interesting going on, the machinery in a radiology department tends to be pretty new - at least in the hospital setting. With the volume of patient scans, things tend to "wear out" and CT / MRI and ultrasound continue to have new technology that makes it worth upgrading (albeit every ~10 years). As previously stated, these are not small capital investments (state of the art CT ~$500k - $1M, 3T MRI $3-4M) so the smaller the hospital or outpatient imaging center, the more likely they are to be using older equipment. And while that sounds like a lot of money, it's a drop in the bucket for what the hospital system will earn over the useful lifetime of that machinery.
 
  • Like
Reactions: Wild1
like this
No mery, hang them on a pole and let the rav3ns pick them down !

A shame for mankind to attack such devices.
 
You must log in or register to reply here.
Back
Top