Healthcare Devices: Security Researchers Sound Alarms - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy

Healthcare Devices: Security Researchers Sound Alarms

Default usernames, weak passwords, and widespread Windows XP Embedded systems are cause for concern, SANS Institute researchers say.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(Click image for larger view and slideshow.)

Who wants to be hooked up to a kidney dialysis machine that's been compromised by fraudsters?

That's one alarming prospect facing hospital goers, according to a "Healthcare Cyberthreat Report" published this week by the SANS Institute (registration required). The study is based on data collected from September 2012 to October 2013 by the security vendor Norse via millions of endpoint sensors and honeypots located in enterprise networks, large-scale datacenters, and major Internet exchanges. It reveals widespread health-network configuration and patching problems, as well as other fundamental errors involving information security.

As a result, during that 13-month period, researchers found evidence that 375 different healthcare networks had been compromised by attackers. "We were shocked at [the number of] devices that were wide open to the Internet that would provide adversaries with considerable power and access not only for a breach, but -- for those who are skilled -- even to conduct malicious acts," Sam Glines, CEO of Norse, told us by phone.

[Ready for the convergence of patient data, social platforms, and analytics? See HIMSS14 Preview: Enabling Today's Digital Doctor.]

Overall, the report found that the most frequently compromised types of health organizations were healthcare providers (in 72% of cases), followed by healthcare business partners (10%), health plans (6%), and pharmaceutical concerns (3%). Meanwhile, the list of compromised healthcare services and devices included VPN servers, surveillance cameras, radiology equipment, videoconferencing equipment, and home healthcare monitoring devices. "When we started seeing dialysis machines being used to conduct fraudulent credit card transactions a few months ago, we knew things were pretty bad," Glines said.

Device configuration errors undercut network security
When it comes to attackers being able to compromise healthcare networks, poorly configured devices are largely to blame, including not only VPN systems, but also VoIP servers. One example cited by Norse was an Internet-accessible VoIP system with an HTTP login page, which would be susceptible to brute-force attacks, or having a user's credentials sniffed if the site were accessed using public WiFi.

Many healthcare networks also appear to be using devices for which the default -- and publicly known -- admin usernames haven't been changed. In other cases, security administrators have failed to give each device a unique password.

(Source: Wikipedia)
(Source: Wikipedia)

For example, researchers found a "network infrastructure profile" document for a healthcare organization on -- a Pastebin-like site -- that "includes IP addresses of core networking infrastructure, firewalls, and even the patient health records system inside the organization," according to a research document shared by Norse. The document also reveals that both the organization's SonicWall firewall and SigmaSafe electronic health records (EHR) system -- among other systems -- are set to use their default admin usernames. In addition, they all share the same password, which ends with a six-number sequence that begins with the number one and ends with the number six.

Warning: Small office device vulnerabilities abound
But not every device vulnerability traces to poor password hygiene, according to research recently conducted by the security firm Tripwire. "We were looking through consumer routers -- primarily products that are marketed for home users, but which also make their way into real estate offices, small medical practices, car dealerships -- which are made with features in mind, but not really security in mind," Craig Young, a Tripwire security researcher, told us by phone.

In particular, Tripwire reviewed the 50 top-selling routers available on Amazon and found that at least 74% of them are vulnerable to some type of attack. Though Tripwire didn't get its hands on all those routers, 34% of them were vulnerable to attacks that had been published to exploit sites such as Exploit Database and Packet Storm. But another 40% sported vulnerabilities that Tripwire's researchers, with a bit of hands-on testing, were able to discover after investing only a modicum of time and energy.

Tripwire has notified the relevant vendors, but patches have yet to be issued for all the vulnerable devices. Furthermore, when patches are released, few device owners learn about them unless they happen to access their device's configuration screen and update the firmware. According to a recent survey conducted by Tripwire, 68% of consumers said they didn't know how to update the firmware on their wireless router.

Healthcare security is better than some industries
In the medical realm, of course, IT departments are meant to hold their business to a higher standard, and according to further research from Tripwire, the healthcare sector scores better than some industries -- though there's still substantial room for improvement.

For example, 76% of healthcare IT professionals surveyed by Tripwire reported that they'd changed the default IP address of their corporate wireless routers, versus an average of 59% of respondents overall. Only

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
2/24/2014 | 12:44:22 PM
Re: Interesting points
And don't forget death by pacemaker malfunction in the first season of Homeland, which was based on real-word possbilities if you can believe Dick Cheney and other media reports. 
User Rank: Author
2/24/2014 | 12:02:58 PM
Interesting points
Credit card fraud via dialysis machines? That sounds like a bad novel. The Windows XP embedded concerns apply to industries outside healthcare of course -- but as Mat points out, I'm not sure we even understand yet what bad actors will do once they have hacked medical records.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
2/24/2014 | 10:17:02 AM
No Surprise
It's no surprise to find these kinds of configuration flaws and process problems. It can be hard to do security right, particularly for organizations that haven't considered themselves a target and haven't put the right resources into place. But healthcare is going to go through the same pains as enterprises and retailers.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll