In-brief: Thousands of clinical systems are exposed to remote attacks according to researchers, who say that poorly designed and loosely configured medical devices are a major source of insecurity.
Researchers looking into the security of medical devices have found thousands of sensitive systems that are exposed to the Internet and vulnerable to remote attack, including drug infusion systems, MRI imaging machines, anesthesia systems and more.
The researchers combined searches for vulnerable medical devices using the Shodan search engine with further reconnaissance. They discovered information on 68,000 systems, many of which could be attacked directly from the public Internet. Also exposed were third party organizations and healthcare systems, including external radiology clinics.
Among the organizations exposed by way of vulnerable medical devices was a “very large US healthcare system” with more than 12,000 employees and 3,000 physicians working for it, according to Scott Erven of the firm Protiviti said at the conference.
Erven and Mark Collao, of Neohapsis (now owned by Cisco), presented their findings at the Derbycon security conference in Louisville, Kentucky, on Saturday. Erven has spent three years researching medical device security and has presented evidence that medical environments are rife with vulnerable devices, many containing valuable and regulated patient health information. He has presented some of the findings of his research before, including this talk at the 2014 DEFCON conference in Las Vegas.
The researchers found many of the vulnerable systems simply by using the Shodan search engine to look for hosts that were listening for connections on potentially vulnerable ports like 445, which is used by Windows systems for SMB (Server Message Block) traffic used to manage file sharing and other sensitive activities.
The researchers limited their searches to host names with words like “health,” “clinic,” “hospital” or “MRI,” that suggested they were deployed in clinical settings. Even then, the Shodan searches turned up hundreds and even thousands of publicly accessible systems, Erven said.
Common medical systems like PACS – which is used to store radiologic imagery – are “soft” he said. While the front end-user interfaces to these systems might require authentication to access, those systems typically talk to back-end storage systems that are very often accessible without authentication, Erven said. “Most don’t have NTFS permissions set on the back-end storage. You can just walk in via the IP (address) and grab all these files that are sitting there,” he said.
[Read more Security Ledger coverage of medical device security here.]
Collao said medical environments are susceptible to many different types of attacks. Most hospitals are loosely controlled environments where individuals can easily walk in and get access to a terminal in an unused room. Even without remote access to an entire medical network, an attacker could combine reconnaissance conducted online by perusing vulnerable systems with physical access to the facility to gain access.
Phishing attacks on employees and clinical staff are also a reliable technique, especially when combined with information gleaned through reconnaissance.
Finally, attackers can easily pivot from exposed clinical systems which often run older versions of Windows to more valuable and secure systems connected to the same network, Collao said.