Cyber Security Blunders Rife in Hospital Networks

The review followed a two-year investigation into the security of all medical equipment maintained by the Essentia, a healthcare facility operator that runs 100 facilities, including clinics, hospitals, and pharmacies, in four US states.

In that investigation, the researchers encountered drug infusion pumps that could be remotely manipulated to change dosages delivered to patients; Bluetooth-enabled defibrillators that could be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; and temperature settings on refrigerators storing blood and drugs that could be reset to cause spoilage. In some cases data leaking to the internet from every computer and device on a hospital’s internal network, which could allow hackers to easily locate and map systems to conduct targeted attacks.

The researchers found that the data leaks were the result of network administrators enabling Server Message Block (SMB), on computers facing the internet and configuring it in such a way that allows data to broadcast externally using port 445. SMB is a protocol commonly used by administrators to help quickly identify, locate, and communicate with computers and equipment connected to an internal network. With SMB, each system is assigned an ID number or other descriptor to help distinguish, say, the PC in a doctor’s office from surgical systems in an operating room or testing equipment in a laboratory.

In at least one case, a large health care organization was reporting 68,000 systems connected to its network, including at least 488 cardiology systems, 332 radiology systems, and 32 pacemakers,. At this and every other facility that was leaking data, the problem was an internet-connected computer that was not configured securely. Quite often, the researchers found, these systems also were using unpatched versions of Windows XP still vulnerable to an exploit used by the Conficker worm six years ago. The findings were presented at the Shakacon Information Technology (IT) Security Conference, held during June 2014 in Honolulu (HI, USA).

“SMB problem is just one security issue that health care organizations are facing. The problems exist because the security teams at these organizations are too often focused solely on checking off boxes to meet government regulations for protecting data, while failing to conduct penetration testing and vulnerability maintenance to really test their systems and secure them the way the security teams at banks and other financial organizations do,” said study presenter Scott Erven, head of information security for Essentia Health, who conducted the study together with Shawn Merdinger, an independent security researcher and analyst.

“We started running organization searches to identify hospitals, clinics, and other medical facilities and we quickly realized this is a global health care organization issue - thousands of organizations [that are leaking this information] across the world,” added Erven in an interview with Wired magazine. “In this case, the vulnerability could be easily fixed by simply disabling the SMB service on external-facing systems or reconfiguring it so that it only broadcasts data internally on the hospital’s local network instead of broadcasting it out to the internet for hackers to see.”

Related Links:
Essentia Health