Conference Coverage

Browse Sections
This content is part of the Conference Coverage: RSA 2017: Special conference coverage
News Stay informed about the latest enterprise technology news and product updates.

Connected medical devices spark debate at RSA Conference session

An RSA Conference session on a new attack on connected medical devices led to a spirited debate on vulnerability disclosure and manufacturer responsibility.

SAN FRANCISCO -- An RSA Conference session featuring new research on the MEDJACK attack sparked a spirited debate on connected medical devices and their security vulnerabilities.

Cybersecurity vendor TrapX Security, based in San Mateo, Calif., presented a preview of forthcoming research on a new version of the MEDJACK cyberattack on connected medical devices, dubbed MEDJACK.3. TrapX researchers discovered the original MEDJACK attack in 2015 and followed up with additional research into a new incarnation of the attack, MEDJACK.2, last year.

"What we found was attackers had started to focus on medical equipment, and they started to look for ways to penetrate the infrastructure [through medical device hijacking]," said Anthony James, vice president of marketing at TrapX.

On Thursday, TrapX previewed research into the latest version of MEDJACK, which James said further compounds the risks around connected medical devices. The company described how MEDJACK.3 had modified its approach to search for connected medical devices, such as MRI and CT scanners, deployed on older, out-of-date operating systems, such as Windows XP and Windows Server 2008. Meanwhile, the attack code was designed to be ignored by more modern operating systems.

In addition, the MEDJACK.3 malware was also discovered to be using more sophisticated evasion and obfuscation techniques, including antisandbox functionality. TrapX showed one example where MEDJACK malware had infected an X-ray viewing system and used the device as a command-and-control platform to move laterally through the targeted healthcare organization.

"We've got this hardware and this equipment that's doing its function that the healthcare environment decided they needed, and they're treating patients," James said. "But there is no magic bullet to figure out how to secure this software that's underlying the main function on this hardware that's highly specialized. So, it's a big challenge."

Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs, said because so many connected medical devices feature legacy software and run on outdated operating systems, they are easy targets for MEDJACK.3.

"If somebody discovers their medical devices are controlled by malware, even if the malware is causing people to die, you're in big trouble," Ben-Simon said. "What happened with MEDJACK is, and it's unfortunate to say, it's in 95% of hospitals we see."

Ben-Simon said the attack affects "everything" that's connected to the internet in a hospital, from simple oxygen machines to more complex oncology systems. During the question and answer portion of the session, however, audience member Michael McNeil, senior director of product security at Philips Healthcare, took issue with the presentation.

"I would suggest that TrapX gets aligned on, at least in the United States, the latest guidelines and regulations that are in place," McNeil said, adding that the U.S. Food and Drug Administration has issued security guidance on connected medical devices and disclosing vulnerabilities.

What happened with MEDJACK is, and it's unfortunate to say, it's in 95% of hospitals we see.
Moshe Ben-Simonco-founder and vice president of services at TrapX Labs

McNeil also questioned whether TrapX directly notified any of the affected device manufacturers prior to RSA Conference.

"The answer is yes," Ben-Simon said. "And not all of them answered."

McNeil said no one had contacted his office about the MEDJACK.3 attack or vulnerabilities in Philips' medical devices. He also argued that hospitals and healthcare organizations push the lifecycle of many of these devices far past the recommendations.

"So, when you say the manufacturer is responsible for trying to make sure the devices are secure, if they go to a customer and state, 'Please remove it,'" McNeil said, "we can't pull our devices [from customers]."

Ben-Simon disagreed and argued that manufacturers still have a responsibility to inform healthcare organizations about the risks of using connected medical devices that were designed for Windows XP and give those customers a path to more modern, secure alternatives.

McNeil said TrapX is assuming those conversations with customers aren't already taking place. "It's a bad assumption if you haven't done the research," he said.

Ben-Simon responded by saying TrapX has done the research, and customers are still using outdated operating systems and vulnerable medical devices, so the manufacturers' approach to the problem isn't working.

Next Steps

Infosec calls for manufacturers to design and build cybersecurity into all medical IoT devices

Learn why some healthcare providers are holding off on deploying IoT medical devices

Find out what CISOs have to say about medical device security challenges

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think security of connected medical devices is the responsibility of the manufacturer? Why or why not?
Yes. If a machine is outdated and can not be updated or defend itself from modern attacks. Why does the manufacturer "end of life" this device as a safety precaution. This is about patient safety not security.
Apologies. Why doesn't the manufacturer EOL the device?
I think there's a disconnect between what manufacturers expect will be the life cycle of a product and what the true life cycle is. The advent of the personal computer has led to an expectation of shorter operational lives of products, which simply isn't true when you're talking about 5-6 figure price-tag equipment. Hospitals have enough expenses without updating major equipment every five years because the operating software gets "outdated" in five years and "end of supported" in ten or fifteen. I place it on the manufacturer for not believing that a 20+ year operational lifespan is a design requirement and either building in either an accommodation for new software or making them too stupid to be affected by malware.
Medical device data security is an issue that pierces the veil of commerce in that it is the responsibility of both the manufacturer and the customer. Neither manufacturers, the FDA (which can only regulate manufacturers) nor providers can solve this on their own - each must do their part and actively engage with the other parties for a complete solution.

In my experience, medical device data security concerns are pretty lacksadasical at both manufacturers and hospitals. 

I understand the business needs for manufacturers to keep current versions of their application in the field, but having software running on older versions, especially Windows XP, is a risk they’re allowing. It’s my opinion that the medical device community needs to allow upgrade paths to the latest versions of their software, at little to no cost, to encourage hospitals to secure themselves and their patients data.
It must start with the manufacturer. These are complex closed devices which are certified by the FDA. That is why legacy cyber defense doesn't work - you cannot load or place software on these platforms without potential impact. Only the manufacturer is capable enough to make these decisions. 

While cyber defense will improve on newly designed medical devices, vulnerabilities will remain in the installed base of older medical devices in hospitals today.

If not the manufacturers, then who?