Orangeworm Attacks Highlight Growing Cybersecurity Concerns in Medical Imaging and Healthcare

Posted June 02, 2018 by Ken Hable

In our increasingly connected world, no one is 100 percent safe from cybersecurity threats and invasions of digital privacy. The healthcare industry, however, is facing growing concerns about network vulnerabilities and the malicious intents of hackers.

Those concerns took center stage after it was discovered that a group known as Orangeworm had been targeting and infiltrating healthcare organizations’ networks over the past few years. The hackers often entered through imaging suites including X-ray, CT scan, and MRI machines.

So, what is the purpose of these attacks, what are the potential consequences, what should imaging engineers be looking for, and how can healthcare organizations mitigate these risks?

Let’s start with some background on Orangeworm and its tactics.

What We Know About Orangeworm

Near the end of April 2018, the cybersecurity firm Symantec released a report announcing it had identified attacks from Orangeworm, which uses backdoor malware, known as Trojan.Kwampirs, mainly to target the healthcare sector. Kwampirs has been found on machines with software used to control high-tech medical imaging devices. The malware gives attackers remote access to the compromised computer.

Orangeworm appears to be using the attacks to gather information about its victims’ networks. This led security experts to assume that the purpose of the attacks is corporate espionage, or an attempt to access intellectual property.

It is believed this was the work of an individual or small group rather than a nation-state. The malware has been discovered in multiple countries across Asia, Europe, and South America, but victims in the U.S. make up the largest percentage globally.

Symantec says Orangeworm is choosing its victims carefully and deliberately. Yet, the hackers don’t seem concerned about being detected, and Orangeworm isn’t trying to hide the fact that it’s exporting information.

The malware is fairly basic, but it is targeting older systems with obvious security vulnerabilities, such as those found in Windows XP. Healthcare IT is susceptible to these attacks since many medical imaging devices are being run on outdated operating systems.

Could the Situation Get Worse?

Orangeworm does not appear to be actively trying to steal patient data. Although, its malware has been found on machines used to process patient consent forms.

These attacks are likely of significant concern to OEMs trying to protect proprietary algorithms and trade secrets but, up to this point, Trojan.Kwampirs is mostly a nuisance for hospitals and clinics. While the precise purpose of the attacks is uncertain, there are no reports of hackers purposefully trying to control or disrupt the operation of devices.

Still, because there are so many questions surrounding the ultimate goals of Orangeworm, the situation is a wakeup call for better network security in healthcare. Who’s to say the way such malware is used can’t be copied by hackers with more dangerous intent?

While the public may believe hospitals and clinics have airtight cybersecurity, healthcare’s weaknesses are no secret within the industry. Experts have been predicting problems like this for several years. In 2017, the WannaCry ransomware caused headaches for some institutions. And, Siemens issued a warning along with advice to its medical imaging customers last summer about critical vulnerabilities with some of its systems.

In general, hospitals are behind the curve when it comes to technology for network security, isolation, control, and access. Healthcare technology and security have a long way to go to better protect important systems and networks, and there are roadblocks in the way of making improvements.

Challenges in Healthcare Cyber Security

One of the first issues is determining which department is responsible for monitoring and preventing cybersecurity threats on medical imaging technology. There are blurred lines between the IT and clinical engineering departments.

IT staff normally manage computers for general use. They rarely touch dedicated PCs for medical imaging, because it’s considered part of the equipment that makes up the system. The responsibility of monitoring these PCs typically falls to service contracts or in-house biomedical engineers.

The “Catch 22” here is that engineers are less likely to understand cybersecurity issues while IT staff is in the dark on how these PCs function as part of the overall system.

A second issue revolves around what medical imaging device manufacturers allow for malware protection and how it is being used. OEMs do provide malware protection pre-installed on the computers connected to their medical imaging devices, but whether they’re being activated and updated is another question.

Siemens has worked with Trend Micro for years and includes the software on PCs controlling Siemens medical imaging equipment. But, you must purchase the license to make it an active installation.

Some healthcare organizations choose not to turn on antimalware software because it’s viewed as a potential safety issue and could hamper the ability to have remote access to those PCs.

Virus software is only as good as the signatures it has. If you turn protection on and don’t update the software, it becomes less effective over time. To get those updates, the PC must have an active polling network connection, which many hospitals want to avoid.

These types of challenges and issues need to be addressed because the consequences for healthcare organizations could be severe. Patient safety and privacy should be paramount concerns.

If hackers cause a PC connected to medical imaging devices to work improperly, or cause an algorithm to become corrupted, two things could happen: the PC may prevent the device from working at all, which means costly downtime. Worse yet, the device keeps working but presents a safety risk, whether inadvertently or intentionally.

Imaging engineers wouldn’t become aware of such issues until the next time preventive maintenance procedures and calibration checks are performed.

What Should Imaging Engineers Do?

Imaging engineers may not be able to improve upon the security tools OEMs provide, but you can take steps to protect devices from the damage malware could cause. Mike Larsen, one of Technical Prospects’ in-house Siemens experts and trainers, recommends backing everything up by cloning hard drives when you know they are healthy. This way, you can replace infected drives quickly.

Even then, engineering departments should work with IT to make sure the issue doesn’t creep up again.

“A cloned drive is a remedy, but the IT department must have resolved the initial problem of the virus getting past the hospital firewall before replacing the drive,” Larsen explains. “Otherwise, the drive will still be vulnerable to the virus and simply get infected again, and you’ve wasted a cloned drive, your time, and you will still have the same problem.”

Our advice for addressing security issues after they are detected is to take a step back and look at the approach the OEM is taking. The Technical Prospects support team may be able to give you advice and tools for fixing the problem, but we can’t guarantee those solutions are approved by the OEM. If you have a service contract, check it before doing anything.

Because this industry is highly regulated, you should be careful about what you install on PCs in an attempt to remedy problems. There could be ramifications to doing so.

For Siemens equipment, if you have an active license for Trend Micro software, be aware that the software is not conducting real-time monitoring. We’ll often talk imaging engineers through the process of validating the license, downloading the latest updates, and running the software to try and clean the PC.

If you don’t have an active software license, there may be an OEM solution, but you’ll have to contact the manufacturer to find out. At some point, your best option might be wiping the drives clean, reinstalling the software, and starting over.

With any luck, you won’t have to deal with an attack on your organization’s network. Being vigilant about potential threats can help. Keep your eyes open for issues and watch for news of threats such as Orangeworm and WannaCry as well as warnings and patches from OEMs (Get Siemens security advisories). Work together with IT specialists to find solutions so the knowledge of both departments is combined.

In the meantime, let’s hope that OEMs find ways to pick up the pace and update technology to reduce security vulnerabilities. Outdated legacy systems, inflexible service contracts without effective tools, and the slow-moving approval of new systems must stop.

If you do encounter a potential security issue with Siemens medical imaging equipment, our support team is happy to provide whatever insight we can. Call us at 877-604-6583. 

Additional Resources: