Hackers have been targeting medical scanning equipment like X-ray and MRI machines for the past few years and some of them have been very successful. While the attacks raise the potential of the theft of personal patient medical data, they appear to be centered around learning how certain medical software operates, possibly as part of an industrial espionage campaign.
While much of the world’s PCs have today moved on to more modern and secure operating systems like Windows 10, old equipment like medical scanners can still be found using ancient legacy platforms like Windows 95. That’s been the case with a number of X-ray and MRI machines which have been targeted by a group known as Orangeworm, who over the past few years have infected more than 100 different health care organizations with malware.
A Symantec report on this problem shows that health care providers have been the biggest target for this kind of malware, with some 39 percent of the group’s attacks in recent years targeting that industry. Other common targets are IT and manufacturing, along with agriculture and logistics to a lesser extent. However, each of those targets has been part of the medical supply chain, suggesting a coordinated effort to understand the entire health care industry’s IT infrastructure.
What’s confusing the security professionals, however, is that the attacks don’t appear to have a clear purpose. While they seem to use phishing emails as an attack vector — a common method for many malware types — they don’t seem to share many characteristics with more traditional digital assaults. No data appears to have been stolen, no ransoms are being demanded, and the systems aren’t left running cryptominers.
That leaves security researchers like those at Symantec unsure about who is truly responsible. As PCMag points out, the lack of a clear goal may suggest state-sponsored hackers, but the fact that the attacks are relatively unsophisticated suggests otherwise.
Regardless though, Symantec and its contemporaries see this as a wake-up call for the health care industry to overhaul its digital security. While these attacks have so far been rather benign, there’s little stopping those responsible from returning with much more dangerous plans in mind. Malicious software could wipe patient records, steal information, or shut down much needed medical equipment, potentially putting lives at risk.
The general advice given, for now, is for institutions to update their systems where possible and, where not, to isolate them on smaller, localized networks so that they aren’t so easily accessed.