In a proof-of-concept hack, researchers penetrated an ultrasound and were able to download and manipulate patient files, then execute ransomware.

SAN FRANCISCO – Researchers have highlighted the endemic insecurity of the hospital environment by executing a proof-of-concept attack on an ultrasound machine. In doing so, they were able to gain access to the machine’s entire database of patient ultrasound images.

Check Point Research worked with a hospital in Tel Aviv that was known for its cutting-edge medical tech. With the cooperation of the hospital, researchers essentially pen tested a common ultrasound machine similar to what would be found in hospitals around the world.

“We approached the biggest hospital in Israel, which is considered very advanced in terms of medical technology,” said Oded Vanunu, head of vulnerability products, in an interview with Threatpost at the RSA Conference 2019. “Hospitals tend to have flat networks, because they don’t have the budget for IT. So once we plugged into that, it was trivial to locate an ultrasound machine that was connected to it. These IoT devices are all just proxies on the network. And once we found it, it only took two clicks to exploit it and be able to create chaos.”

Vanunu said that there was no need to reverse-engineer the ultrasound nor use any special skills in order to hack the machine, because it was running Windows 2000 – an OS that has reached end-of-life and is no longer updated or maintained by Microsoft. The team simply used an exploit for a known, old vulnerability to gain control of the hardware.

“We tried three different attacks and they were all simple to do,” Vanunu said. “First, we were able to download all of the scans of patients in a blink of an eye. Then, we took the scans and manipulated them to replace the patient names. Then, we executed ransomware.”

The ease of the attacks was disturbing, he noted, but said that this seems to be the norm in hospital environments, where a perfect storm of proliferating connected medical IoT devices, lucrative patient data that can be sold at a premium on the Dark Web, and lagging IT resources is converging into a cybercrime dream.

To the first point, there can often be hundreds, if not thousands, of devices connected to the IT network any one of which could contain vulnerabilities in either the hardware of software used by such devices.

“There is so much bad security in medical devices in general, the ultrasound is just one example,” Vanunu told Threatpost. “We’re starting to see more attacks like this, and we believe this will be one of the next great attack trends — hospitals. They’re the weakest link right now since medical devices are so easy to hack. And hospitals don’t have the time or resources to manage and update them.”

Already, he said, ransomware attacks have become more common in medical environments, while patient data is on the rise as a commodity on the Dark Web. “Let’s not be naïve,” he said. “Medical data is big money – it’s giant and patient records are being sold all the time.”

He added that the information is considered more valuable than, say, a credit-card number, because it can be used to better target victims in spear-phishing and other kinds of attacks, perhaps in an automated way.

“Everything attackers collect about a person helps build out a profile,” he said. “It’s all useful for training an algorithm. We’re starting to enter the era were collecting medical data and deeper information will be a priority. We believe there will not be a single market that’s safe from data theft because of this.”

He also told Threatpost that in the case of the particular ultrasound that the team hacked, the vendor responded that newer versions of the hardware contained OS mitigations. This, Vanunu said, illustrates another endemic issue in hospitals: slow equipment replacement cycles.

“When you’re talking about ultrasound equipment, MRI machines, X-Rays – these cost a lot of money,” he said. “You’re not just going to replace them every time a new version comes out. And even if they’re software-updateable, no one is typically in charge of that. Staff and resources are focused elsewhere.”

While many hospital attacks require an adversary to gain access to the local network, there are also changes on the horizon that could make pilfering patient data easier.

“Germany has approved a plan where all patient data will be sent to a central repository in the cloud,” Vanunu said. “Even with VPN protection, the data could be exposed in transit. Hospitals are not ready in terms of technology to lock down the cloud. And then there’s always the potential for leaving a cloud bucket open.”

Recent cyber-attacks in medical environments include a ransomware attack on the Melbourne Heart Group, last year’s attack on Singapore’s health service, SingHealth, where it suffered a massive data breach that saw the Prime Minister’s health records stolen; and the heist of 1.4 million patient records from UnityPoint. Then of course, there was the May 2017 WannaCry attack that caused 20,000 appointments in the U.K.’s National Health Service to be cancelled.

To avoid becoming the next victim, hospitals should put resources into separating patient data from the rest of the IT network; Segmentation would also enable these organizations to prevent data stealing or encrypting malware from propagating further across the network and instead isolating the threat.

For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.