MRI Machines Communicating with C&Cs in Russia

By Jack Marsal, Senior Director of Product Marketing

Armis is an enterprise-class security platform specifically designed to give security managers better visibility over the various kinds of “smart” devices that exist in their environment. Our unique ability to understand the context of each device lets us detect problems that other security products miss.

Such as when MRI machines are communicating with C&C in Russia. 

In a recent customer engagement, Armis found an MRI machine communicating with a destination in Russia. The destination IP address in Russia was not a previously-known malicious destination, so the customer’s firewall did not block it. No security system besides Armis noticed this anomalous behavior. 

The MRI machine was running a vulnerable (unpatched) version of Windows XP which had most likely become compromised by an APT that was communicating with command and control (C&C) located in Russia. Armis was able to alert on this activity because our anomaly detection engine knew that this type of communication was uncommon for this type of device.

In fact, many FDA classified medical devices are running older, unpatched operating systems and may be vulnerable to this kind of compromise. 

A compromised MRI machine can lead to serious risks, both for the patient and the hospital:  

  • Personal Health Information (PHI) could be leaked. 
  • The settings on the MRI machine could be changed maliciously, leading to device malfunction. 
  • The MRI machine could be used as a staging ground for further infiltration of the hospital network.

Our recommendations for all healthcare delivery organizations are the following:

  • Monitor the behavior of all medical devices in your environment, and look for behaviors that are unexpected for each type of device based on their role.
  • Ensure that FDA classified devices are not communicating to unknown external destinations. 
  • Devise a plan to address situations where medical devices that are connected to patients have shown signs of anomalous network behavior

For more information about how Armis helps healthcare delivery organizations, check out our white paper