Hacker group Orangeworm attacks long-standing vulnerabilities in healthcare imaging devices

Understanding the profiles and motivations of the various types of hackers is key to stopping them (Image imaginima / iStockPhoto)
A group known as Orangeworm is exploiting known vulnerabilities in legacy medical devices. (imaginima/iStockPhoto)

A hacker group known as Orangeworm is launching targeted attacks against the healthcare industry, focusing on well-known vulnerabilities within legacy imaging devices to gain access to hospital systems.

First identified in 2015, Orangeworm is not a new group, but it has zeroed in on healthcare with 40% of its attacks aimed at the industry, according to a report released last week by Symantec.  

Using Trojan.Kwampirs malware, the group has targeted vulnerabilities in X-ray and MRI machines that often run older operating systems like Windows XP. Unlike last year’s WannaCry attack, which exploited the vulnerabilities of older systems in a global attack, Orangeworm is far more selective and coordinated, an indication the group may be working for a specific client or engaged in corporate espionage.

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

RELATED: House committee to examine cybersecurity risks of legacy technology in healthcare

“Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,” Symantec analysts wrote. “Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

The imaging suite is widely known as “the worst offender in terms of having outdated systems,” according to John Nye, senior director of cybersecurity research and communications at CynergisTek, a healthcare cybersecurity and information management consulting firm based in Mission Viejo, California. He noted that the malware used by the group is “very loud,” but preys specifically on vulnerabilities in Windows XP.

“[Hospitals] have no control over the devices themselves,” Nye said, noting that imaging devices are often leased from manufacturers and come with preloaded operating systems. “Even if they know this MRI has a horribly insecure system, there’s nothing they can do about it. It's still on their network and the bad guys know it.”

The sheer number of vulnerabilities is likely what makes healthcare such an appealing target for the group. Nye says Orangeworm may be targeting specific hospitals and even specific patients to blackmail individuals or use information for targeted spearfishing campaigns.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

Device vulnerabilities aren't limited to the imaging suite, however. 

“Depending on the statistics provider, the average patient in a hospital bed has between 10-15 health tech devices,” Terry Ray, chief technology officer at Imperva, said in an email. “Unfortunately, most of these are legacy devices which have very little, if any, security controls in place.”

Healthcare providers can take several measures to protect their network and limit the scope of an attack by ensuring malware signatures and antivirus programs are up-to-date. Segmenting the hospital network to isolate vulnerable devices can prevent a larger attack.

Ultimately, however, more needs to be done at the federal level or in Congress to address cybersecurity vulnerabilities within legacy devices.

“We were at an inflection point where something needed to be done five years ago,” Nye said. “Now we're at a crucial emergency point.”

Suggested Articles

We need our federal programs and policies to reflect the goal of improving the health of both women and men.

Two lawsuits were filed suing the Trump administration to overturn a new rule that would allow healthcare workers to deny care over religious or conscience…

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.