Who wants to be hooked up to a kidney dialysis machine that's been compromised by fraudsters?
That's one alarming prospect facing hospital goers, according to a "Healthcare Cyberthreat Report" published this week by the SANS Institute (registration required). The study is based on data collected from September 2012 to October 2013 by the security vendor Norse via millions of endpoint sensors and honeypots located in enterprise networks, large-scale datacenters, and major Internet exchanges. It reveals widespread health-network configuration and patching problems, as well as other fundamental errors involving information security.
As a result, during that 13-month period, researchers found evidence that 375 different healthcare networks had been compromised by attackers. "We were shocked at [the number of] devices that were wide open to the Internet that would provide adversaries with considerable power and access not only for a breach, but -- for those who are skilled -- even to conduct malicious acts," Sam Glines, CEO of Norse, told us by phone.
Overall, the report found that the most frequently compromised types of health organizations were healthcare providers (in 72% of cases), followed by healthcare business partners (10%), health plans (6%), and pharmaceutical concerns (3%). Meanwhile, the list of compromised healthcare services and devices included VPN servers, surveillance cameras, radiology equipment, videoconferencing equipment, and home healthcare monitoring devices. "When we started seeing dialysis machines being used to conduct fraudulent credit card transactions a few months ago, we knew things were pretty bad," Glines said.
Device configuration errors undercut network security
When it comes to attackers being able to compromise healthcare networks, poorly configured devices are largely to blame, including not only VPN systems, but also VoIP servers. One example cited by Norse was an Internet-accessible VoIP system with an HTTP login page, which would be susceptible to brute-force attacks, or having a user's credentials sniffed if the site were accessed using public WiFi.
Many healthcare networks also appear to be using devices for which the default -- and publicly known -- admin usernames haven't been changed. In other cases, security administrators have failed to give each device a unique password.
For example, researchers found a "network infrastructure profile" document for a healthcare organization on 4shared.com -- a Pastebin-like site -- that "includes IP addresses of core networking infrastructure, firewalls, and even the patient health records system inside the organization," according to a research document shared by Norse. The document also reveals that both the organization's SonicWall firewall and SigmaSafe electronic health records (EHR) system -- among other systems -- are set to use their default admin usernames. In addition, they all share the same password, which ends with a six-number sequence that begins with the number one and ends with the number six.
Warning: Small office device vulnerabilities abound
But not every device vulnerability traces to poor password hygiene, according to research recently conducted by the security firm Tripwire. "We were looking through consumer routers -- primarily products that are marketed for home users, but which also make their way into real estate offices, small medical practices, car dealerships -- which are made with features in mind, but not really security in mind," Craig Young, a Tripwire security researcher, told us by phone.
In particular, Tripwire reviewed the 50 top-selling routers available on Amazon and found that at least 74% of them are vulnerable to some type of attack. Though Tripwire didn't get its hands on all those routers, 34% of them were vulnerable to attacks that had been published to exploit sites such as Exploit Database and Packet Storm. But another 40% sported vulnerabilities that Tripwire's researchers, with a bit of hands-on testing, were able to discover after investing only a modicum of time and energy.
Tripwire has notified the relevant vendors, but patches have yet to be issued for all the vulnerable devices. Furthermore, when patches are released, few device owners learn about them unless they happen to access their device's configuration screen and update the firmware. According to a recent survey conducted by Tripwire, 68% of consumers said they didn't know how to update the firmware on their wireless router.
Healthcare security is better than some industries
In the medical realm, of course, IT departments are meant to hold their business to a higher standard, and according to further research from Tripwire, the healthcare sector scores better than some industries -- though there's still substantial room for improvement.
For example, 76% of healthcare IT professionals surveyed by Tripwire reported that they'd changed the default IP address of their corporate wireless routers, versus an average of 59% of respondents overall. Only