A new report presented at the DerbyCon Security Conference on Tuesday has revealed serious medical device security vulnerabilities.
The medical device security vulnerabilities are present in a wide range of devices used in hospitals and clinics, and the vulnerabilities could potentially be exploited by hackers seeking data to use for identity theft and fraud.
Patient data is being recorded and stored on medical devices and computer equipment, and those devices are linked to internal networks. However, many devices are also directly accessible via the internet. Since the devices are networked, there is a risk that internal systems can be infiltrated by malicious insiders if access to medical devices can be gained.
The problem is not just one of data exposure. If access to data is gained, medical records could potentially be altered, which could have far more serious consequences for patients than suffering financial losses from identity theft. Test results could be changed and treatment plans altered, which potentially has life-threatening consequences for patients.
In order to assess devices for security risks, the team of researchers used a search engine called Shodan, which can be used to find medical devices connected to the internet. They entered in search terms such as “radiology”, and were presented with details of a wide range of medical devices such as x-ray machines, MRI scanners, drug infusion pumps and other medical equipment.
Medical Device Login Names and Passwords are Freely Available on the Internet
Alarmingly, many healthcare providers had networked their medical devices, yet had not taken steps ensure they were secure. One of the most common medical device security vulnerabilities discovered was the failure to change default logins and passwords that had been set by the manufacturers of the devices.
As with standard home routers, manufacturers set basic login information which healthcare providers can use to access the devices. However, the login credentials are generic, and can be found in publically available documentation supplied by the manufacturers. All that is needed to gain access to the devices is the manufacturer documentation, and the unique addresses of the equipment.
Hackers could easily use that information to gain access to the devices, the data stored, and even the computer networks to which the devices are connected.
While this may appear to be negligence on the part of healthcare providers, in a number of cases the users of the devices were warned in documentation supplied by the manufacturers that changing the default logins and passwords could potentially make them ineligible to receive IT support.
The researchers conducted their study on devices supplied by GE Healthcare, although the problem is not confined to that company’s machines. Medical device security vulnerabilities is a problem that exists with many manufacturers of medical devices. Any manufacturer could have been chosen and the study would have produced similar results. The researchers did point out that once the medical device security vulnerabilities were discovered, and GE Healthcare was alerted to the problem, action was rapidly taken to address those risks.
The researchers also discovered that even when passwords were changed they were not particularly hard to guess. Login names such as admin, username, operator and administrator were frequently used, with “bigguy” being one of the most commonly used passwords.
To a hacker, the lack of security controls would be laughable; however, as one of the researchers – Scott Erven – pointed out, even patients have been able to access their own drug pumps to increase their morphine doses.
How Real is the Threat from Medical Device Security Vulnerabilities
How often are hackers looking for medical equipment? Alarmingly frequently it would appear.
Hackers have already started to take advantage of medical device security vulnerabilities according to the researchers, in many cases taking advantage of the MS09-067 Windows vulnerability. The researchers did not determine that hackers were specifically targeting medical devices, but regardless, medical devices were still being hacked.
The team set up 10 different “honeypots” which mimicked medical devices. During the study the researchers discovered 55 successful logins took place, 24 exploits were found and 299 items of malware discovered.
Additionally, the researchers discovered that one healthcare provider had failed to install the most basic of security controls. The team found the host names of 68,000 items of medical equipment, including their exact location within the facility as well as the physicians assigned to the devices. Descriptions of what the device was used for were also available.
That information is exactly what hackers need to conduct spear phishing campaigns to target specific physicians. The risk of data exposure through medical devices is therefore not just theoretical. They pose a major risk to healthcare data security and patient health.