Outdated imaging machines have U.S. hospitals ripe for hacking, report says

The vast majority of medical imaging equipment in the U.S. is leaving patient data vulnerable and hospitals open to attacks that could disrupt care, a new study says.

As many as 83% of Internet-connected medical imaging devices—from mammography machines to MRI machines—are vulnerable, according to the 2020 IoT Threat Report from Palo Alto Networks’ Unit 42 threat security team. That’s up from 56% in 2018.

May Wang, senior distinguished engineer at Palo Alto Networks, attributes the uptick from 2018 to 2020 to Microsoft dropping support for Windows 7. While medical devices have a long life cycle, if they aren’t diligently updated with the latest version of its operating system, or are running an unsupported operating system, then hackers can exploit vulnerabilities to steal data, infiltrate a hospital network, and disrupt care.

“It’s like having a permanently broken window on the side of your house—you never know when someone might slip in,” Wang tells Fortune.

Once an attacker successfully gets in through that window, it becomes very likely they can gain access to the hospital’s broader network to steal or erase critical data. And that’s when the chaos starts to happen.

How 12-year-old malware disrupted a hospital

Hospitals typically lag behind other industries when it comes to cyber security, Wang says, which makes them especially vulnerable to a variety of attacks. For instance, the report details how a 12-year-old piece of malware, called Conficker, is making a comeback.

An unnamed hospital mentioned in the report experienced unusual traffic over one of its mammography imaging machines. Over the course of a few days, the IT team determined that the Conficker worm had infected other medical devices on the hospital’s network, including another mammography machine, a radiology machine, a digital imaging device, and others.

Conficker was first detected in 2008 when it exploited vulnerablities in Windows XP and older Microsoft operating systems. The worm would infect devices and add them to a botnet that would continue looking for devices to infect. By 2009, the worm had infected an estimated 15 million PCs, hitting hospitals, governments, and corporations.

In 2015, it was estimated there were 400,000 machines infected by the Conficker worm. The 2020 report says that number is now likely half a million.

“Conficker was designed with multiple spreading mechanisms built into it and it didn’t rely on users to do anything to enable it to spread—it was completely self-sufficient,” says Wang. “For example, it has a peer-to-peer functionality that allows infected computers to continue communicating with each other without the need for a central server to give it orders, enabling it to keep spreading.”

In the case of the hospital, rebooting the devices didn’t work, since it didn’t address the unpatched holes that enabled the Conficker infection. The hospital was instead forced to take its devices offline, install vital security patches, and tediously bring them back online one at a time.

The total downtime was one week before all the devices were back online and running without interruptions, according to the report.

Why hackers target hospitals

The Palo Alto Networks report also cautions about newer attacks that are targeting lucrative personal data.

“Hospitals and healthcare providers house highly confidential and sensitive personal information that is specifically appealing to malicious actors,” Matthew Gardiner, director of enterprise security at Mimecast, a data security company, tells Fortune. “It’s essentially a treasure trove of information that can either be directly monetized or used in identity theft or other later stage attacks.”

Hackers are looking to get in any way they can, and in the medical community, there are plenty of open windows.

Ninety percent of health care organizations were hit with email-borne attacks last year, according to research released on Tuesday by Mimecast. Of those, one in four said the attacks were extremely disruptive.

In one case, a medical office was even forced to shut down after a cyber attack. Last September, Wood Ranch Medical in Simi Valley, California was hit with ransomware.

“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” reads a message to its patients. “We will be closing our practice and ceasing operations on December 17, 2019.”

For cash-strapped hospitals, it can be a choice between buying a new imaging machine, or investing to upgrade the hospital firewall to help mitigate these types of attacks.

Attackers know hospitals are slow to upgrade and exploit them, often for profit, Wang says. “Having a system go down in an enterprise means loss of money, but downtime for a hospital can mean loss of life,” she adds. “Healthcare resorts to paying a ransomware more often than not, so they can regain control over systems and data.”

Taking preventative measures

There are some steps hospitals can take now to help help mitigate the threat.

Wang recommends organizations regularly scan their networks to see which IoT devices are connected. Anything that doesn’t belong on the network or isn’t being used should be disconnected. Other devices should be regularly updated to ensure any holes are patched. Finally, IoT medical devices should be separated from the regular network.

“As our report showed, 72% of the time, IoT medical devices are not separated from the regular network,” Wang says. “This means Infiltrating an IoT medical device means in addition to patient data being potentially stolen from the medical device its self, an attack could also potentially infiltrate the hospital’s broader network and access far more patient data.”

In other words: Quarantining IoT devices from the main network is the best way to stay safe.