Security researchers Scott Erven and Mark Collao have recently found that thousands of critical medical systems and devices such as MRI machines and nuclear medicine devices are vulnerable to online hackers. The researchers recently told The Register that there is a very large, unnamed US healthcare organization unknowingly exposing more than 68,000 medical systems to attacks. The organization employs about 12,000 staffers and more than 3,000 doctors.
The security researchers were able to detail exactly what kind of devices were exposed to online attacks. They claim 21 anaesthesia, 488 cardiology, 67 nuclear medical, 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear were exposed recently. The organization that Erven and Collao identified is just one of thousands of organizations across the globe with equipment discoverable through Shodan, a search engine that looks for things on the public Internet.
This report is yet another blow for a healthcare industry that seems to lag behind other industries when it comes to the adoption of rather simple technological advances like online security. "Once we start changing [Shodan search terms] to target specialty clinics like radiology or podiatry or pediatrics, we ended up with thousands with misconfiguration and direct attack vectors," Erven said. "Not only could your data get stolen but there are profound impacts to patient privacy."
The main reason these devices are so accessible is because they are all running rather old versions of Windows. Usually they are running Windows XP or XP service pack two. They also likely don’t have any kind of antivirus software because they are critical systems, according to the researchers. At the same time, Erven says that adding much-needed security steps is not that difficult, as long as the health care industry can actually realize just how vulnerable their devices are.
Edited by
Kyle Piscioniere
