Cyber Threats That are Lurking in Hospital Environment

Healthcare technologies are saving and enhancing patients’ lives with wearable devices that can monitor patients’ health and apply medication according to values of the patient, such as insulin pumps, pacemakers and so on. Also, it provides storage for Electronic Health Records, which is used to see patients’ history very quickly and evaluate patients’ condition effectively and quickly.

When these devices connect to each other, this technology can also be used outside of the clinical environment. Thus, doctors can monitor their patients remotely; without the patient coming to the hospital. Healthcare technologies offer increased efficiency, reduced errors, automation, remote monitoring and time saving.

But, Is It Safe?

It is known that hospitals are very attractive targets for stealing patient information. According to worldwide reports, millions of medical reports have been stolen already. Recently, health sector is one of the most targeted sectors and attacks towards this sector are increasing and getting more severe.


Before Electronic Health Records, every hospital or even every department had their own records. A case of missing/stolen papers, which were exposed later, were only affecting hundreds or thousands of patients within that hospital or department. These records would only be accessed physically and were limited to the hospital staff who could gain access to the physical paperwork. Thus, it was very hard for an outsider to sneak a peek at medical records.


With Electronic Health Records, the medical data is electronic now. All the data from various hospitals is gathered in one pool and it can be accessed remotely. Thus, in case of a breach, millions of patients will be affected. This led financially or politically motivated hackers to go after celebrities or businessmen, who don’t want their medical data revealed due to a condition that can humiliate or reduce their reputation.

This image was created by, can be found at

Created by –

More Than a Data Breach

Now that wearable devices are in the picture, more severe consequences should be expected from cyber-attacks that target the health sector. The devices, which can share real-time vital readings and apply doses of medicine, will become new targets and create new vulnerabilities upon integrating into a hospital’s network without applying necessary cyber safety precautions. Thus, health security will become a patient safety issue.

Why Is The Health Sector Being Targeted?

People thought that nobody would be interested in attacking health care systems, so, they avoided spending money on cyber security systems. Unfortunately, they were wrong. The health care system motivated hackers and it created new back doors for hackers to infiltrate. Due to this lack of awareness, some hospitals are still using operating systems that are no longer supported such as Windows XP, some are not keeping their software updated to prevent security breaches.

On the contrary, medical data is so much more valuable than financial data. Aside from selling medical data for thousands of dollars, it could be used to obtain health services and medication –that can be sold on the Internet – or even open bank accounts and apply for loans.

It could also be used for more than making money. Imagine a politician, who has an allergic reaction to bee stings; combining this information and bees would be potentially life-threatening threat for the politician. Or a cyberwar that can target specific people through their medical devices…

How Health Care Technology Can Be Protected?

In the health care system, the focus is on the patients’ care; millions of dollars are being spent to keep patients alive and to treat them well by using health care technologies that create and store vast amounts of sensitive and valuable information. Biologic viruses are being wiped out from hospitals but what about cyber viruses: spyware, ransomware and other kind of malware?

This image was designed by Tirachard can be found at

Created by Tirachard –

Since new types of malware are created in the cyber world every minute, there are no 100% effective ways to protect any kind of computer or device from cyber-attacks. However, the following steps will be very protective as they will fix the vulnerabilities:

  • Backups should be created to quickly recover data in the event of an attack that erased or encrypted all data.
  • All software must be updated to ensure that security patches cover recent vulnerabilities of the software.
  • All medical data should be encrypted so in the event of a breach, the third parties can’t use it.
  • All employees should be trained to eliminate inside threats such as attacks that occur due to mistakes or deliberate actions: phishing websites and social engineering attacks.
  • Instead of traditional antivirus solutions, advanced security software must be used, because of its multilayered defense and machine learning capabilities – Zemana Endpoint Security is one of them.
  • A network security system device, such as firewall, is a plus along with advanced security software.

TRITON: The Malware That Could Have Killed Hundreds

In December 2017, a Middle Eastern oil and gas petrochemical plant was attacked by malware named TRITON, also known as TRISIS or HatMan. It targeted the plant’s Safety Instrumented System that is a part of Industrial Control Systems.


Industrial Control Systems (ICS) are computer-based devices that are used by engineers to monitor and keep different variables under control. These autonomous devices are used in industries that create products via applying continuous series of processes to raw materials such as electric generating, oil refining and chemical processing.

Safety Instrumented Systems (SIS) are being used to monitor variables but they are not intended for controlling the production process. They trigger alarms and overriding signals to protect people, the plant and the environment when a monitored process goes beyond the allowed level within the operational limits.

Factory designed by Macrovector

Designed by Macrovector

These systems are used in oil and gas plants, nuclear energy facilities, water treatment facilities and more. Thus, incidents such as hardware failure, fire and explosions are prevented, and the producing continues without catastrophic results.

Seriousness Of This Attack 

Unlike other cyber-attacks, this attack was very critical. The purpose was more than stealing information or causing disruption; it was supposed to create catastrophic incident by disabling the Safety Instrumented System. Due to seriousness of the industrial attack an in-depth analysis was performed.

The Attack Pattern

According to the analysis, the malware targeted Schneider Electric’s Triconex products that are known as SIS. It was written very well. The malware’s intent was to install Remote Access Trojan (RAT), which was designed to give the attackers read write execute over the Safety Instrumented System in RUN/Remote mode, access to all regions of memory, access to control logic and access to firmware.

It was written specifically for the model and firmware version of the targeted SIS – Tricon 3008 v10.3. The malware required to have access to the SIS network locally or remotely and a computer to load the malware onto Tricon.

In this incident, the TriStation terminal, which is a software application for developing, testing, and documenting safety-critical and process-control applications that execute on Triconex controllers, was used to launch the attack. Furthermore, the key switch that is located on the front panel of the product must be switched to Program Mode. Thus, the switch would not protect the memory from being written anymore and Tricon would get infected.

What Was Their Plan?

Apparently, the hackers wanted to manipulate layers of shutdown protocols to keep the system running while they reach deeper to gain more control. Despite being well written, the malware accidently triggered the emergency protocol and the system was shut down. This gave away the attack. Since the hackers could not deliver actual payload into system their true intentions are still unknown.


However, recently analysists found a clue that traced the malware to Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is in Moscow, Russia. According to analysists, the malware development activity supports TEMP.Veles activity, which includes testing multiple versions of malicious software and was used during the TRITON intrusion, very likely.

From the testing activity, analysts found independent ties to CNIIHM and a person, whose online activity shows significant connection to CNIIHM. TEMP. Veles used an IP address registered to CNIIHM to monitor open-source coverage of TRITON, network reconnaissance, and malicious activity for supporting TRITON intrusion. Behavior patterns of TEMP.Veles activity was consistent in the Moscow time zone.

Lastly, analysists think that CNIIHM has the required institutional knowledge and personnel to develop and TRITON and TEMP.Veles operations. Without specific evidence they could not prove the link between CNIIHM and TRITON but they have associated this capability with Russia.

The Wake Up Call      

This incident should serve as a vital wake up call in the industrial control and cyber security community. Therefore, strong protection is crucial today more than ever. Also, for businesses it is highly important to educate their employees about the importance of cyber security and all the risks that cyber world brings. There are numerous examples, where malware attacks occurred due to employees’ negligence. Having proper security systems along with employee awareness will work the best to maintain safe online experience.