[17] MEDJACK.3 seems to have additional sophistication and is designed to not reveal itself as it searches for older, more vulnerable operating systems only found embedded within medical devices.
In such a cyberattack the attacker places malware within the networks through a variety of methods (malware-laden website, targeted email, infected USB stick, socially engineered access, etc.)
Given this open access, once the medical devices are penetrated, the attacker is free to move laterally to discover targeted resources such as patient data, which is then quietly identified and exfiltrated.
In one of the earliest documented examples testing identified malware tools in a blood gas analyzer, magnetic resonance imaging (MRI) system, computerized tomogram (CT) scan, and x-ray machines.
In 2016 case studies became available that showed attacker presence also in the centralized PACS imaging systems which are vital and important to hospital operations.
[35] In 2019 the FDA submitted an official warning concerning security vulnerabilities in devices produced by Medtronic ranging from Insulin pumps to various models of cardiac implants.
[36] The agency concluded that CareLink, the primary mechanism used for software updates in addition to monitoring patients and transferring data during implantation and follow-up visits, did not possess a satisfactory security protocol to prevent potential hackers from gaining access to these devices.
The FDA recommended that health care providers restrict software access to established facilities while unifying the digital infrastructure in order to maintain full control throughout the process.
[36] Various informal assessments have estimated that medical device hijacking currently impacts a majority of the hospitals worldwide and remains undetected in the bulk of them.
[39][40] The United States Government Accountability Office studied the issue and concluded that the FDA must become more proactive in minimizing security flaws by guiding manufacturers with specific design recommendations instead of exclusively focusing on protecting the networks that are utilized to collect and transfer data between medical devices.