Healthcare // Security & Privacy
09:06 AM

Healthcare Devices: Security Researchers Sound Alarms

Default usernames, weak passwords, and widespread Windows XP Embedded systems are cause for concern, SANS Institute researchers say.

one-quarter of healthcare respondents said all their routers still used default IP addresses, versus an overall average of 41%. But 37% of healthcare organizations -- versus 14% of organizations on average -- reported that all of their routers were using WiFi Protected Setup (WPS), which is a flawed networking standard that can be compromised to gain access to the device.

For organizations tasked with protecting people's personal medical data -- and which must comply with the Healthcare Insurance Portability and Accountability Act -- is there any excuse for more than one-third of them still using WPS?

Furthermore, 51% of IT professionals in the healthcare sector said their employees work remotely -- versus an overall average of 43% -- which means that securing remote-access technologies is especially important for the healthcare sector.

According to the Norse report, however, the most frequently compromised systems -- accounting for almost one-third of the malicious healthcare IP addresses detected during its study -- were healthcare organizations' remote-access VPN systems. According to Norse, those systems were most likely compromised because the organization wasn't enforcing a strong password policy. According to the SANS study, "without a strong password policy in place, even strong SSL VPN authentication can be easily compromised by brute-force password guessing or dictionary attacks."

Patching devices: Some hospitals lag
Beyond strong password policies, another recurring healthcare IT problem is poor patch hygiene, especially for devices that run firmware based on older or outdated operating systems. "A lot of equipment that you find in hospitals is actually hardware that's running Windows XP Embedded, and it's not getting patched on a regular basis," said Tripwire's Young.

Part of the problem is that, after Microsoft issues an update or security fix, vendors must build a new version of their firmware and then test every system that uses the firmware -- to ensure that X-ray machines, for example, still behave as they should -- before distributing it to customers. Until that happens, healthcare organizations remain exposed to attackers targeting known vulnerabilities.

Even when those patches arrive, applying them takes further time. For example, whereas a retailer with 100 or 1,000 identical point-of-sale systems might be able to push firmware updates from a central server -- such as Microsoft's System Center Configuration Manager -- most medical facilities sport a very heterogeneous medical device infrastructure. "On a lot of these devices... you need to get new software from the vendor, go to the device, turn it off and on, and use media that will replace all the software on the device," said Young. Doing so will likely wipe all presets and require the devices to be reconfigured. "An X-ray machine, an MRI machine, a dialysis pump: all sorts of things that are going to need individual configurations."

Windows XP Embedded life support ends
What happens when security fixes are no longer available for medical devices, yet those devices are vulnerable to known attacks? Microsoft will cease supporting not only Windows XP on April 7, but also Windows XP Professional for Embedded Systems, on which many medical devices run.

Microsoft said Feb. 17 that four other versions of Windows XP Embedded will continue to be supported -- meaning they'll still get patched -- since they've been released more recently. For example, Windows XP Embedded SP3 will be supported until 2016. Windows Embedded POSReady 2009 -- for POS systems -- will be supported until 2019.

However, just because Microsoft stops issuing patches doesn't mean devices that run the unsupported operating system will be scrapped. This month, for example, researchers at Qualys obtained a second-hand version of a type of X-ray scanner used by Transportation Security Administration screeners in airports -- also used at embassies and court buildings -- and found that the machine was running Windows 98 and stored access credentials in plain text, which could allow an attacker to take over the systems, e.g., to project fake images. That example doesn't hail from the healthcare field, but it does show that devices don't die just because an operating system vendor announces that the software has reached its "end of life."

Vulnerable devices: Attackers' stepping stones
Besides exploiting vulnerable network-connected devices, attackers can use them to launch exploits against other sites. "All of these compromised devices, not only are they available to be used for a breach of data, but they're also used as attack points against other adversaries," Norse's Glines said. They "just give attackers more options for launching attacks."

Over the past couple of weeks, Johannes Ullrich, CTO of the SANS Internet Storm Center, has detailed the discovery of a worm, named "TheMoon," that uses a series of exploits to compromise some types of small-office routers, including the Linksys E product line.

According to a blog post from the security researcher Bernardo Rodriques, the worm was used to build a "stealth router-based botnet" -- thought to comprise at least 1,000 exploited devices -- that's been launching distributed denial-of-service attacks against dronebl, which is billed as being a "database of abusable and 'rooted' machines."

The worm wasn't built to target PCs -- meaning anything built on an x86 processor -- but rather to target MIPS-based Linux devices, including some types of the aforementioned Linksys routers. In addition, vulnerable devices must have telnet, SSH, or the web-based interfaces enabled via the WAN -- none of which Linksys ships enabled by default -- as well as have weak username and password combinations or else weak firmware daemons, said Rodriques.

This is hardly the first time that security researchers have sounded warnings about non-PC, network-connected devices that can be compromised

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
2/24/2014 | 12:44:22 PM
Re: Interesting points
And don't forget death by pacemaker malfunction in the first season of Homeland, which was based on real-word possbilities if you can believe Dick Cheney and other media reports. 
User Rank: Author
2/24/2014 | 12:02:58 PM
Interesting points
Credit card fraud via dialysis machines? That sounds like a bad novel. The Windows XP embedded concerns apply to industries outside healthcare of course -- but as Mat points out, I'm not sure we even understand yet what bad actors will do once they have hacked medical records.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
2/24/2014 | 10:17:02 AM
No Surprise
It's no surprise to find these kinds of configuration flaws and process problems. It can be hard to do security right, particularly for organizations that haven't considered themselves a target and haven't put the right resources into place. But healthcare is going to go through the same pains as enterprises and retailers.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.