Thousands of healthcare organizations around the world, along with the medical devices and equipment that connect to their systems, are leaving themselves open to cyber attacks because of a crucial misconfiguration of a network security protocol.
Hospitals and healthcare organizations around the world are leaking data for hackers to exploit due to lax or careless network security, according to a recent Wired report.
Leaking data could lead to theft of confidential patient data and the hacking of life-saving medical devices and equipment connected to a vulnerable network.
An investigation by Essentia Health security analysts Scott Erven and Shawn Merdinger revealed that a network protocol called Server Message Block (SMB) have not been configured properly by network administrators of many hospitals.
SMB assigns a unique number to a system or device, and allows easy internal communication between these systems. But instead of limiting connections to a private, internal network, Erven and Merdinger said that the misconfiguration broadcasts data externally for outsiders to see.
Hackers could exploit the flaw and sneak into a hospital network’s system to locate devices and systems, and then initiate nefarious activities that jeopardize patients’ lives.
Through this, they could steal sensitive data such as patient records. They could also control medical devices - disabling them or causing them to malfunction.
For example, a defibrillator can be tampered with remotely so it delivers inappropriate shocks, or no shocks at all. Infusion pumps can underdose or overdose patients, monitors can go blank, and ICU and telemetry systems can go haywire.
“Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit,”
Scott Erven, Manager, Information Security at Essentia Health, told Wired.
“We can exploit them with no user interaction… [then] pivot directly at the medical devices that you want to attack.”
In one particular case involving an unidentified large healthcare organization with 3,000 doctors and 2,000 other workers, the two analysts found out that the organization’s network was leaking data from up to 68,000 systems connected to its supposedly secure network.
Erven and Merdinger soon found out the same problem with thousands of hospitals around the world. Moreover, they also found much other vulnerability plaguing hospitals, such as computer worms persisting in older computer systems.
“We started running organization searches to identify hospitals, clinics, and other medical facilities and we quickly realized this is a global health care organization issue,”
Erven told Wired.
“This is thousands of organizations [that are leaking this information] across the world.”
“It goes to show that health care [organizations are] very sloppy in configuring their external edge networks and are not really taking security seriously.”
While laws such as HIPAA (Health Information Portability and Accountability) and HITECH (Health Information Technology for Economic and Clinical Health) in the United States, and similar regulations abroad, seek to protect sensitive personal health information, Erven said network security teams at healthcare organizations need to “conduct penetration testing and vulnerability maintenance to really test their systems,” just like what their counterparts do at banks and financial institutions.
Security flaws affecting many industries, including healthcare, have been exposed in recent months.
Earlier, the Heartbleed bug was discovered to have left many Web-based health applications - patient portals, physician websites, remote patient monitoring systems, telemedicine applications, medical devices, insurance exchanges, health apps, and cloud-based electronic health records - susceptible to cyber attacks.
Last year, the U.S. HealthCare.gov website was found to be vulnerable to hackers who could “steal personal information, modify data or attack the personal computers of the website’s users,” and “damage the infrastructure of the site,” according to a Reuters article.
The U.S. Food and Drug Administration (FDA) had earlier released an advisory urging hospitals, healthcare organizations and manufacturers of medical devices to shore up their computer security defenses against cyber threats, following a spate of threats involving “hundreds of medical devices” and hospital networks infected with malware and viruses.
