X would appear no different than the real thing. But unlike the real machines, the fake devices allowed TrapX to monitor the movements of the hackers across the hospital network. After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware.
In several cases, the hackers “spear phished” hospital staffers, luring them into opening e-mails that appeared to come from senders they knew, which infected hospital computers when they fell for the bait. In one case, hackers penetrated the computer at a nurses’ station, and from there the malware spread throughout the network, eventually slipping into radiological machines, blood gas analyzers, and other devices. Many of the machines ran on cheap, antiquated operating systems, such as Windows XP and even Windows 2000. The hospital’s antivirus protections quickly scrubbed the computer at the nurses’ station, but the medical devices weren’t so well guarded.
Many of the hospitals that participated in the study rely on the device manufacturers to maintain security on the machines, says Carl Wright, general manager for TrapX. That service is often sporadic, he says, and tends to be reactive rather than preventive. “These medical devices aren’t presenting any indication or warning to the provider that someone is attacking it, and they can’t defend themselves at all,” says Wright, who is a former information security officer for the U.S. military.