Thousands of Medical Devices Are Open to Hacking Over the Internet

Illustration for article titled Thousands of Medical Devices Are Open to Hacking Over the Internet

Security researchers claim that at least 68,000 medical systems — like MRI scanners and infusion systems — from a “large, unnamed US health group” are accessible online for hackers to attack.


Researchers Scott Erven and Mark Collao explained at hacking conference Derbyco that they were able to access the interfaces of many medical devices using the search engine Shodan, which hunts specifically for internet-connected devices. The pair explained that through smart searches they were able to build up a detailed picture of devices used by the particular health organisation, including details about where medical devices were in a particular building.

It’s not just device data that’s available, though: the team reports that they were able to identify “direct attack vectors,” that could be used to steal patient data from the devices, too.

The team also explained that for six months they ran software that purported to be an MRI and defibrillator, as a honey pot for hackers. Over that period they observed thousands of attempts to log-in to the devices and 299 attempts to instal malware upon them, suggesting the same thing happens in hospitals around the world. That could be a problem because, as Collao explained to The Register, “[medical devices] are all running Windows XP or XP service pack two … and probably don’t have antivirus because they are critical systems.”

It’s not, of course, the first time that the digital security of medical instruments has been called into question. Malware is said to be “rampant” in hospitals, and earlier this year it came to light that hackers could hijack drug infusion pumps. Clearly something needs to be done — but knowing where to start is perhaps the biggest problem.

[BBC, The Register]

Image by Philip Dean under Creative Commons license.




I used to work for one of the biggest county hospitals back in my home state. Actually I worked for the one of the biggest pharmaceutical companies in the world, and did IT at said hospital through them. The bit about PC’s running outdated OS software is all too true. “Sorry but our shit proprietary software will not run on anything but outdated machines!” “Sorry, we cannot update IE6 to IE9 because this other shit proprietary software needs it.” It was a freaking nightmare. Also not to mention we were not allowed to lock down the internet so nurses would stay the fuck away from wall paper sites and download viruses and malware instead. Not that the nurses had any say in the matter, it was the doctors. They needed all computers to have unrestricted access so they could look up medical information (IE: porn). We were not there to keep people from surfing porn and fucking up the computers, we were there to keep the computers running so they could surf porn.

Also no matter how much information, diagrams, power point presentations you put together, you could not convince logistics to buy what you needed to secure all systems. Hospitals are reactive, no proactive. It was not until a very expensive, very valuable, very important database was hit by what the admins called a “man in the middle” attack did the hospital finally give us what we needed. The damage caused was calculated in the hundreds of thousands. Not to mention we had to go to every freaking PC and install a custom patch made by Symantec to fix everything. It was a solid month before we got everything back to working order.

You ask where to start? Start at convincing the bean counters that upgrades NEED to be bought. Have those same bean counters demand software that will run on current and secure machines from their vendors. Until those two things happen, this will never change.