Data breaches in the healthcare sector cost upwards of $6 billion per year, with the average cost of a single data breach topping $4 million, according to IBM and the Ponemon Institute.

The best plotlines in fiction are often based on reality, giving them a scary edge and chilling ring of truth. One such plotline was the subject of Showtime’s “Homeland” series: the fictional Vice President of the United States dies of a heart attack triggered by cyberattackers who hacked into his pacemaker.

This is terrifying precisely because it not only could happen, but breaches in medical devices—including pacemakers—have already been reported (prompting real-life former Vice President Dick Cheney to ask his doctors to disable the wireless in his pacemaker).

“Everything that makes healthcare more efficient, every access point, new device, or algorithm, for every positive there’s a negative: risk and vulnerability,” warns Tom Ridge, the first secretary of the U.S. Department of Homeland Security

That’s because the “internet of things,” which has become the “internet of everything,” wasn’t designed to be secure.

Healthcare is among the most targeted industries for cyber attackers because of the wealth of data that can be accessed. In 2017, more than 500 patient records affecting over 4.7 million people were breached at 295 healthcare providers. Data breaches in the healthcare sector cost upwards of $6 billion per year, with the average cost of a single data breach topping $4 million, according to IBM and the Ponemon Institute. Additionally, the average HIPAA settlement fine is $1 million.


It was only a matter of time before the IoT opened healthcare organizations to attack through medical devices.

Orangeworm prognosis unclear

Orangeworm, a derivative of the Kwampirs virus, is the first widespread attack known to have deliberately targeted medical devices. This is kind of a wake-up call for a lot of people. We have long known that it’s possible and we’ve talked about it a lot, but now it’s actually happening: attackers are using medical devices as the attack vector to get into hospital systems.

Known to be targeting medical devices, hospitals, and consultancies, the virus appears to be in the advanced staging phase—it has gotten inside systems all around the world and is taking an inventory and capturing a fingerprint of all those systems, learning as much as possible in preparation for attack.

To date, there is no indication that Orangeworm exfiltrates patient data or images, but it does appear that intelligence is sent to the attackers. There has been no indication that this attack alters the state of the device.


The attackers haven’t identified themselves and we don’t yet know what the ultimate goal of the attack is.

Racing against the clock

The potential for harm or even the death of a patient as a result of a cyberattack, however, is like a ticking bomb the cybersecurity world is racing to diffuse.

One reason we worry about medical devices is that we know how vulnerable they are. We’ve logged an average of 6.2 vulnerabilities per medical device. In addition, 60% of devices are at end-of-life stage, with no patches or upgrades available.

It takes time for manufacturers to beef up security, and we know that hospitals and other healthcare organizations routinely wring as much life from devices as possible, averaging 20+ years of use per device. It’s a combination that’s just ripe for the cyberattackers’ picking.


We believe that this attack will expand to include VOIP, HVAC, O2 systems, and other internet-connected devices.

This attack should be taken very seriously. Below are actions every healthcare organization should be taking to protect against Orangeworm and other attacks:

Conduct medical device exposure assessment. It is critical to determine what devices are external-facing and validate who they are communicating with.  It is also important to understand the operating system running the device as this attack seems to target Windows-based systems.

Segregate devices. The best way to protect your critical systems and data is to segregate devices so that traffic can be quickly cut off in the event of an attack. The systems and information that are of highest importance and sensitivity should be segregated from other less critical systems.


Monitor device operations. It is important that you educate clinical engineering teams in regard to this threat. Any reported anomaly (rebooting, slowness, change in behavior) should be reported to your IT Security team.

Evaluate your supply chain. You should reach out to your supply chain partners in order to understand their awareness of this threat. In many cases the payload is being delivered through a supply chain interaction. Medical device manufacturers are not the only ones being targeted by this group. This attack is compromising IT vendors who commonly work with hospitals.

Review network SMB shares. You must review your server message block (SMB) shares and assure that you are minimizing exposure. Assure that any required shares are correctly patched, and you have appropriate security controls in place.

Check for Windows XP. If you have any Windows XP (HIM, RIS, Lab, RCM, Faxing, etc.) in your environment, you should be especially careful in protecting against this attack. It is extremely friendly to Windows XP environments.


Analyze logs. Examine logs for communication to command and control servers. If you would like a list of those servers, please contact Sensato at [email protected]

Stay Informed. Enroll in an Intelligence Security Organization (ISO) to keep up-to-date on the latest cybersecurity threats and learn from a global network about new developments in security and best practices.

No Target Too Small

Don’t make the mistake of thinking that your organization is too small to be a target so you don’t need to be as strict with your security measures. No entity is too small, especially in the healthcare sector. In addition, the protections you put in place to guard against direct attacks can help you also fend off “side effect” attacks—viruses and malware that make their way into your systems through trusted partners and affiliates who have been infected.


If your organization has been compromised by Orangeworm or another malware:

  • Determine the attacker’s point of entry as quickly as possible and close that access point
  • Activate your Incident Response Team
  • Isolate the affected system or segment
  • Remove patients from affected devices
  • Notify the FBI, DHS, FDA and your cybersecurity partner immediately
  • Preserve evidence

The Future

Like a virus, cyber threats are always changing and evolving, adapting to get through our defenses, taking advantage of every new technological advancement.

Perhaps fittingly, artificial intelligence will be the future of cybersecurity. Attackers are already using AI and machine learning to make attacks more sophisticated and to help in analyzing the data they’ve accessed for its value.

On the security end, AI will be used to implement faster, automated countermeasures. Cyberattacks are so fast and so violent, humans can’t move fast enough to effectively defend systems.


Less exciting, but just as important, will be integration. As networks have grown and organizations have focused on purchasing best-of-breed solutions, communication gets bogged down and cobbled-together systems create vulnerabilities. Integrated cybersecurity platforms can close those gaps and deliver faster, more efficient response to security alerts.

As the Orangeworm and other attacks illustrate, the sophistication of cyberattacks in the medical world is singularly urgent. Preventative security measures are the best way to ensure that a serious threat doesn’t create a critical condition for your healthcare organization.

John Gomez

John Gomez is CEO and founder of Sensato, a  healthcare and critical infrastructure cybersecurity services provider. Sensato’s programs, systems, services, training, and intelligence gathering are at



Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.