Healthcare // Security & Privacy
News
2/24/2014
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Devices: Security Researchers Sound Alarms

Default usernames, weak passwords, and widespread Windows XP Embedded systems are cause for concern, SANS Institute researchers say.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(Click image for larger view and slideshow.)

Who wants to be hooked up to a kidney dialysis machine that's been compromised by fraudsters?

That's one alarming prospect facing hospital goers, according to a "Healthcare Cyberthreat Report" published this week by the SANS Institute (registration required). The study is based on data collected from September 2012 to October 2013 by the security vendor Norse via millions of endpoint sensors and honeypots located in enterprise networks, large-scale datacenters, and major Internet exchanges. It reveals widespread health-network configuration and patching problems, as well as other fundamental errors involving information security.

As a result, during that 13-month period, researchers found evidence that 375 different healthcare networks had been compromised by attackers. "We were shocked at [the number of] devices that were wide open to the Internet that would provide adversaries with considerable power and access not only for a breach, but -- for those who are skilled -- even to conduct malicious acts," Sam Glines, CEO of Norse, told us by phone.

[Ready for the convergence of patient data, social platforms, and analytics? See HIMSS14 Preview: Enabling Today's Digital Doctor.]

Overall, the report found that the most frequently compromised types of health organizations were healthcare providers (in 72% of cases), followed by healthcare business partners (10%), health plans (6%), and pharmaceutical concerns (3%). Meanwhile, the list of compromised healthcare services and devices included VPN servers, surveillance cameras, radiology equipment, videoconferencing equipment, and home healthcare monitoring devices. "When we started seeing dialysis machines being used to conduct fraudulent credit card transactions a few months ago, we knew things were pretty bad," Glines said.

Device configuration errors undercut network security
When it comes to attackers being able to compromise healthcare networks, poorly configured devices are largely to blame, including not only VPN systems, but also VoIP servers. One example cited by Norse was an Internet-accessible VoIP system with an HTTP login page, which would be susceptible to brute-force attacks, or having a user's credentials sniffed if the site were accessed using public WiFi.

Many healthcare networks also appear to be using devices for which the default -- and publicly known -- admin usernames haven't been changed. In other cases, security administrators have failed to give each device a unique password.

(Source: Wikipedia)
(Source: Wikipedia)

For example, researchers found a "network infrastructure profile" document for a healthcare organization on 4shared.com -- a Pastebin-like site -- that "includes IP addresses of core networking infrastructure, firewalls, and even the patient health records system inside the organization," according to a research document shared by Norse. The document also reveals that both the organization's SonicWall firewall and SigmaSafe electronic health records (EHR) system -- among other systems -- are set to use their default admin usernames. In addition, they all share the same password, which ends with a six-number sequence that begins with the number one and ends with the number six.

Warning: Small office device vulnerabilities abound
But not every device vulnerability traces to poor password hygiene, according to research recently conducted by the security firm Tripwire. "We were looking through consumer routers -- primarily products that are marketed for home users, but which also make their way into real estate offices, small medical practices, car dealerships -- which are made with features in mind, but not really security in mind," Craig Young, a Tripwire security researcher, told us by phone.

In particular, Tripwire reviewed the 50 top-selling routers available on Amazon and found that at least 74% of them are vulnerable to some type of attack. Though Tripwire didn't get its hands on all those routers, 34% of them were vulnerable to attacks that had been published to exploit sites such as Exploit Database and Packet Storm. But another 40% sported vulnerabilities that Tripwire's researchers, with a bit of hands-on testing, were able to discover after investing only a modicum of time and energy.

Tripwire has notified the relevant vendors, but patches have yet to be issued for all the vulnerable devices. Furthermore, when patches are released, few device owners learn about them unless they happen to access their device's configuration screen and update the firmware. According to a recent survey conducted by Tripwire, 68% of consumers said they didn't know how to update the firmware on their wireless router.

Healthcare security is better than some industries
In the medical realm, of course, IT departments are meant to hold their business to a higher standard, and according to further research from Tripwire, the healthcare sector scores better than some industries -- though there's still substantial room for improvement.

For example, 76% of healthcare IT professionals surveyed by Tripwire reported that they'd changed the default IP address of their corporate wireless routers, versus an average of 59% of respondents overall. Only

Next Page

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/24/2014 | 12:44:22 PM
Re: Interesting points
And don't forget death by pacemaker malfunction in the first season of Homeland, which was based on real-word possbilities if you can believe Dick Cheney and other media reports. 
Laurianne
50%
50%
Laurianne,
User Rank: Author
2/24/2014 | 12:02:58 PM
Interesting points
Credit card fraud via dialysis machines? That sounds like a bad novel. The Windows XP embedded concerns apply to industries outside healthcare of course -- but as Mat points out, I'm not sure we even understand yet what bad actors will do once they have hacked medical records.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/24/2014 | 10:17:02 AM
No Surprise
It's no surprise to find these kinds of configuration flaws and process problems. It can be hard to do security right, particularly for organizations that haven't considered themselves a target and haven't put the right resources into place. But healthcare is going to go through the same pains as enterprises and retailers.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.