Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use:
While this group seems to be limiting their actions to reconnaissance and compromising systems vs. patient information, that doesn’t mean they couldn’t pivot to some other form of mischief on the systems they’ve compromised.
While some people might find it shocking to learn that their medical provider is still using Windows XP, it can be tough to get budget approval to replace a $2M MRI machine that still makes perfectly good images just because you can’t upgrade the Windows OS. Eventually these outdated devices will have to be replaced – but until then, in addition to updating them as much as possible, here are some compensating measures owners of these systems should put in place to help reduce the chance of, or spread of, an infection:
- Isolate the equipment on the network: don’t allow the old MRI machine to talk to anything on the network it doesn’t absolutely have to talk to, especially the Internet
- Limit elevated access to the device: no one should have “administrator” access other than the people who maintain the equipment. Why would your physicians need to (or even want to) install updates?
- Limit the use of mapped drives and file shares: ensure the output of your devices is securely transferred to a system that manages your medical imaging output, vs. just dropping the output on open file shares. If you can see a file share, whatever’s on the file share can also see you…
- Control removable media ports: reduce the chance that an infected USB drive could compromise the device by limiting how they are used, or disabling them altogether
- Monitor the equipment closely: knowing about a potential compromise as soon as possible could limit the potential impact
- Subscribe to ICS-CERT: the Industrial Control Systems Cyber Emergency Readiness Team sends out alerts on a wide variety of industrial control vulnerabilities, including medical devices