Share this article on:
How secure are medical devices? According to a data security study presented at the recent DerbyCon Security Conference, not very, it would appear.
Not only can hackers gain access to MRIs, drug infusion pumps, X-ray machines and other radiology and medical equipment, even a couple of patients have discovered they can access their drug pumps and increase their morphine dosage. In some cases it doesn’t actually take much technical skill at all to gain access to medical devices. A quick search on the internet can reveal the login credentials for machines from many manufacturers.
Of course, anyone looking to gain access to a medical device, and potentially the network it is connected to, would need to know where to look. That is not a difficult task, according to the researchers. The search engine Shodan contains lists of thousands of networked medical devices, and even gives names of the devices, what they do, where they are located (what hospital and where exactly in that hospital) and even the doctors who are assigned to use the equipment in some cases. The latter is worrying, as if access cannot be gained, they can find out the people they need to target through spear phishing campaigns.
The researchers were able to use the search engine to obtain details of thousands of devices by simply searching for “radiology” on Shodan. “Podiatry” and other general terms also produced a high number of results.
The team “found detailed information about more than 68,000 devices, including host names, a description of what the equipment does, its physical location in the hospital and the physicians assigned to it,” according to researcher, Mark Collao. And that was just one healthcare provider.
Alarming Medical Device Security Vulnerabilities Discovered
Healthcare laptops and desktops are often used to store unencrypted health data and personal information of patients. If the devices can be obtained or accessed, the data they contain can be used to commit identity theft and fraud. However, if malicious outsiders are able to gain access to medical devices, in addition to using the devices as an easy entry point into a network, they could also potentially change data such as test results, treatment plans and drug doses. Such changes could have life-changing consequences for the patient. It is therefore essential that the devices are secured.
However, the medical devices tested by the researchers showed that oftentimes, little or no security controls have been installed other than passwords and login names. More worrying, is that password controls are lax and often the manufacturers generic login credentials are not changed.
Gaining access to the devices could be as simple as entering admin/password. Even when passwords have been changed, many administrators choose new passwords that could easily be guessed. Scott Erven, one of the researchers investigating medical device security, created a password cloud. It showed the most common logins and passwords used to secure medical devices. Many logins could be easily guessed. Administrator, root, and service were all commonly used, although bigguy appeared to be the most common.
Healthcare Providers are Making it Too Easy for Hackers
The researchers used just one company’s medical devices to test security: GE Healthcare, although this device manufacturer is no different to others. The researchers pointed out that they could have chosen any company and produced similar results.
They discovered numerous cases where default passwords had not been changed, and furthermore the login credentials are publically available on the internet. Why would anyone not change the default passwords? Oversight perhaps, or being unaware that the devices were accessible via the internet also. But in some cases, users were being deterred from making changes from the default settings. Manufacturers of the devices often need to access the equipment to provide technical support, and some tell their clients not to make changes to the login information as doing so would make them ineligible to receive support.
The Medical Device Hacking Risk Serious
How serious is the threat of the devices actually being hacked? The researchers decided to investigate to find out whether hackers and malicious outsiders are trying to take advantage of poor security controls. To do this they set up 10 dummy devices – “honeypots” – which had been designed to appear as legitimate devices.
The honeypots, like real MRIs and X-ray machines, could be located via the internet. The researchers did point out that they found no evidence that the equipment had been specifically targeted for being medical devices, but they were being targeted nonetheless. During the period under test, the researchers discovered 55 successful logins, 24 exploits and 299 pieces of acquired malware.
This important piece of research should send alarm bells ringing with any healthcare provider. It should also prompt a full risk assessment to determine whether the medical devices being used are actually an open door into the network.
It is also worth noting that HIPAA requires all equipment and systems capable of recording, storing, or transmitting data to be subjected to a risk assessment to identify security vulnerabilities. The results from this study show there are a considerable number of HIPAA violations being committed by healthcare providers.
It would appear that many healthcare providers are not including networked medical devices in their risk assessment: A potentially serious violation of HIPAA Rules. Come the HIPPA compliance audits, violations such as this may well be discovered. And if that happens, heavy fines could follow. Worse still, the devices could be used as a gateway to a network and stored healthcare data.