A hospital with 2,000 employees in the E.U. deployed Cynet protections across its environment. The hospital was in the process of upgrading several expensive imaging systems that were still supported by Windows XP and Windows 7 machines. Cynet protections were in place on most of the Windows XP and Windows 7 machines during the upgrade process, ensuring that legacy operating systems would not cause vulnerabilities or delay the activation of an incident response plan.
The hospital's I.T. security team appreciated this coverage after their previous provider abandoned support for Windows XP and Windows 7. "One of the many reasons we chose Cynet was their support of legacy Windows machines. It's expensive, difficult and time consuming to upgrade our imaging system software, but we needed protections as we slowly migrated to more current Windows environments. Cynet was one of the few providers that continue to protect these older Windows environments."
The Attack
Along with Cynet, the hospital implemented advanced authentication for doctors to access systems that contained sensitive patient information in the form of a USB key. The USB key contained a hidden partition with a digital certificate used to digitally sign and log the user's activities. The USB drive could also be used as standard removable media storage for the user.
Unfortunately, because users could use the USB key to store files from any device, one of the USB keys became infected with malware. The malware was embedded in a JPEG image file, among many image files on the USB device. When the doctor used the USB key to retrieve diagnosis images from a Windows 7 machine, the media portion of the key pushed the infected images to the machine. Because the machine was connected to the hospital network, this could allow the attacker to move laterally and ultimately exfiltrate sensitive data or cause other harm.
Cynet Protections
Fortunately, Cynet protections immediately detected the malicious file and quarantined it before it could execute. This attack underscores the need for layered security as even when the advanced authentication protections were leveraged to execute malicious code, the device protections in place detected the malicious code and prevented it from executing. It also reinforces the importance of a well-prepared incident response plan.
Summary
Small to medium-sized hospitals and medical facilities continue to leverage legacy Windows operating systems due to the time and cost required to update the expensive medical systems they control. However, it's critical that devices are adequately protected as attackers tend to target the "low hanging fruit" – systems that likely have weaker protections in place. With the right protections and a roadmap for incident response, healthcare organizations can continue to maximize the lifespan of their highly-specialized equipment.
If you found this overview interesting, check out this new WhatsApp channel for cybersecurity peers to seek guidance, discuss experiences or even just vent about their day-to-day work.