Security researchers have found tens of thousands of vital internet-connected medical systems including pacemakers and MRI scanners vulnerable to cyber attack at just one healthcare provider.
Presenting at the DerbyCon conference at the weekend, Scott Erven and Mark Collao, revealed that a simple search via Shodan – a search engine for public internet-connected machines – returned thousands of healthcare organizations with discoverable equipment.
Choosing one in particular, they found at least 68,000 exposed systems including MRI scanners, drug infusion systems, cardiology and anesthesia systems.
Typical security issues included legacy devices which were not updated or patched – many running on outdated operating systems like Windows XP. Weak default or hard-coded admin credentials were also common.
In fact, in some cases the manufacturer’s advice to customers was not to change these passwords or maintenance staff wouldn’t be able to provide support, the researchers said.
In some cases, they found easily interceptable unencrypted data streams between device and web server.
These not only raise privacy but also “adverse patient safety issues,” Erven argued.
And such issues do not necessarily need to involve cybercriminals.
He gave the example of two Austrian patients who managed to get hold of the hard-coded credentials of their own drug infusion pump and increased their dosage of morphine to dangerously high levels.
With the information provided by many of these unsecured devices – right down to host names and physical location in the hospital – hackers could also craft phishing attacks, said Collao.
The researchers even managed to attract tens of thousands of log-in attempts and hundreds of malicious payloads to their honeypots, designed to mimic the behavior of medical devices.
Although the hackers in those instances apparently didn’t seem to know they were hitting mission critical medical devices, they were still attacking them, the research duo said.
Erven claimed the research highlights the urgency of “building security into the engineering and design phase of these devices.”
Caroline Rivett, director at KPMG’s cyber security practice, agreed.
“Otherwise devices are vulnerable to hackers causing a safety issue and loss of confidential patient information,” she argued. “Solving this will require co-ordination between device manufacturers and healthcare regulators.”