A security expert has revealed how easily cybercriminals could access patient data from hospitals and private clinics.
The unnamed member of Kaspersky Lab’s research team also discovered vulnerabilities that would allow cybercriminals to alter the way medical devices work, causing physical damage to patients and immense cost to the hospital.
Hackers have recently committed ransomware attacks against hospitals in the US and Canada. However, a large-scale malicious attack is only one of the ways in which criminals could exploit the IT infrastructure of a modern hospital.
Clinics store personal information about their patients. They also use very expensive equipment that is hard to fix and replace, and which makes them a valuable target for extortion and data theft.
The first thing that the Kaspersky Lab expert decided to explore, while conducting this research, was how many medical devices around the globe are now connected to the internet.
Modern medical devices are fully functional computers with an operating system and most of these have a communication channel to the internet. By hacking them, criminals could interfere with their functionality.
A quick look over the Shodan search engine for internet-connected devices showed hundreds of devices – from MRI scanners to cardiology equipment, radioactive medical equipment and other related devices.
This discovery leads to worrisome conclusions, as some of these devices still work on old operational systems such as Windows XP which have unpatched vulnerabilities, and some even use default passwords that can be easily found in public manuals.
Using these vulnerabilities, criminals could access a device interface and potentially affect the way it works.
This is one of the ways cybercriminals could gain access to the clinic’s critical infrastructure, but the most obvious and logical way is to try to attack its local network.
During the research, a vulnerability was found in the clinic’s Wi-Fi connection. Through a weak communications protocol, access to the local network was gained.
Exploring the local clinic’s network, the security expert found some medical equipment that was previously found on Shodan.
This time, however, to get access to the equipment, a password wasn’t required because the local network was a trusted network for medical equipment applications and users. This is how a cybercriminal can gain access to a medical device.
Further exploring the network, the researcher discovered a new vulnerability in a medical device application. A command shell was implemented in the user’s interface that could give cybercriminals access to personal patient information, including their clinical history, medical information, addresses and ID details.
Through this vulnerability, the whole device controlled with this application could be compromised. Among these devices could be MRI scanners, cardiology equipment, radioactive and surgical equipment.
Firstly, cybercriminals could alter the way the device works and cause physical damage to the patients. Secondly, they could potentially damage the device itself at significant cost to the hospital.
>See also: Top 10 most devastating cyber hacks of 2015
“Clinics are no longer only doctors and medical equipment, but IT services too,” said Sergey Lozhkin, senior researcher at Kaspersky Lab. “The work of a clinic’s internal security services affects the safety of patient data and the functionality of its devices.
“Medical software and equipment engineers put a lot of effort into creating a useful medical device that will save and protect human life, but they sometimes completely forget about protecting it from unauthorised external access.
“When it comes to new technologies, safety issues should be addressed at the first stage of the research and development process. IT security companies could help at this stage to address safety issues.”