Modern Healthcare, among other outlets and blog posts, is reporting that a hacker group dubbed "Orangeworm" has been planting malware on medical devices that are critical to patient care. This post adds some perspective about some potential motivations and offers starting points for healthcare providers to respond.
The hackers have broken into imaging devices, like X-ray and MRI machines, as well as computers related to patient consent for medical procedures. They also homed in on manufacturers and others in the supply chain.
Alarming, of course. But wait... patient consent? Aren't hackers only interested in stealing patient records they can sell on the black market?
Not necessarily, says Virta Labs' Director of Sales, Ron Anson, who explains the value to hackers of consent information: "Because it's a disclosure mechanism, informed consent data tells you a lot about the kinds of procedures that are going on at a hospital. An attacker who's just snooping around can see what machines are in active use, estimate their utilization, and make some educated guesses about good places to put persistent malware implants or ransomware."
There's greater value still in the consent data in use at research institutions that conduct or participate in clinical trials. Says Anson: "Clinical trials often involve devices and use cases that are not yet widespread. If I were looking to steal intellectual property, I would see informed consent as a rich information source because investigators have to disclose details to patients that they'd rather keep under wraps."
This viewpoint sheds a little light on why informed consent is potentially interesting to attackers. Any system that stores these documents en masse is another resource worth understanding and protecting if you're a healthcare provider.
What should healthcare cybersecurity engineers do about Orangeworm? Here are a few starting points:
- Read Symantec's writeup of the observed threat vectors so that you can be familiar with warning signs and indicators of compromise.
- Make sure you have a complete and accurate inventory of systems that might be at risk to Orangeworm or other miscreant groups. You can't protect what you don't know you have. For each device potentially at risk, make sure you understand what's normally running on that device and whether you've applied basic hygiene mechanisms such as a backup strategy, firewalls as necessary, and malware-hunting tools.
- Figure out where your ePHI is. Consider patient consent information under this umbrella. Who has access to those records? Are you sure? What controls have you applied, and should you enhance those controls under the assumption that an adversary might be looking?
- If you're not already tracking risk across your medical device population, consider using a tool like BlueFlow to assess and manage risk factors for all assets and stay abreast of incoming threats. The only sure thing is that you don't know what the next threat vector is, so preparation is key.
- Assess your network's entry points from the outside using tools like https://shodan.io/. Punch in your network ranges and see what a curious attacker conducting reconnaissance would see from the outside.
It's possible that Orangeworm is merely a loose confederation of hackers looking for machines on which to mine Bitcoin. But it's also possible that these are real, targeted threats against healthcare providers. The safest thing to do in the face of a shadowy adversary is to make sure you've covered the basics.
Stay safe out there, and we're here if you need help.