Hacker group Orangeworm attacks long-standing vulnerabilities in healthcare imaging devices

Understanding the profiles and motivations of the various types of hackers is key to stopping them (Image imaginima / iStockPhoto)
A group known as Orangeworm is exploiting known vulnerabilities in legacy medical devices. (imaginima/iStockPhoto)

A hacker group known as Orangeworm is launching targeted attacks against the healthcare industry, focusing on well-known vulnerabilities within legacy imaging devices to gain access to hospital systems.

First identified in 2015, Orangeworm is not a new group, but it has zeroed in on healthcare with 40% of its attacks aimed at the industry, according to a report released last week by Symantec.  

Using Trojan.Kwampirs malware, the group has targeted vulnerabilities in X-ray and MRI machines that often run older operating systems like Windows XP. Unlike last year’s WannaCry attack, which exploited the vulnerabilities of older systems in a global attack, Orangeworm is far more selective and coordinated, an indication the group may be working for a specific client or engaged in corporate espionage.


On-Demand Webinar: Using Secure Patient Communications for Curbside Check-In

Learn how healthcare organizations are using virtual check-in to deliver patient-centric experiences that are safe, convenient and secure. Watch this 30-minute on-demand webinar to learn more.

RELATED: House committee to examine cybersecurity risks of legacy technology in healthcare

“Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,” Symantec analysts wrote. “Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

The imaging suite is widely known as “the worst offender in terms of having outdated systems,” according to John Nye, senior director of cybersecurity research and communications at CynergisTek, a healthcare cybersecurity and information management consulting firm based in Mission Viejo, California. He noted that the malware used by the group is “very loud,” but preys specifically on vulnerabilities in Windows XP.

“[Hospitals] have no control over the devices themselves,” Nye said, noting that imaging devices are often leased from manufacturers and come with preloaded operating systems. “Even if they know this MRI has a horribly insecure system, there’s nothing they can do about it. It's still on their network and the bad guys know it.”

The sheer number of vulnerabilities is likely what makes healthcare such an appealing target for the group. Nye says Orangeworm may be targeting specific hospitals and even specific patients to blackmail individuals or use information for targeted spearfishing campaigns.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

Device vulnerabilities aren't limited to the imaging suite, however. 

“Depending on the statistics provider, the average patient in a hospital bed has between 10-15 health tech devices,” Terry Ray, chief technology officer at Imperva, said in an email. “Unfortunately, most of these are legacy devices which have very little, if any, security controls in place.”

Healthcare providers can take several measures to protect their network and limit the scope of an attack by ensuring malware signatures and antivirus programs are up-to-date. Segmenting the hospital network to isolate vulnerable devices can prevent a larger attack.

Ultimately, however, more needs to be done at the federal level or in Congress to address cybersecurity vulnerabilities within legacy devices.

“We were at an inflection point where something needed to be done five years ago,” Nye said. “Now we're at a crucial emergency point.”

Suggested Articles

Insurers on the individual market remained profitable in the first quarter of 2020 as COVID-19 caused health utilization to dramatically drop.

Senate Democrats are calling for $25 billion to help ensure that a COVID-19 vaccine is distributed at no cost to the public when it gets approved.

Patients with ESRD are eligible to begin enrolling in MA plans starting next year, and insurers must be prepared to adapt to their needs.