Hospitals are too easy to hack, warns Kaspersky

News
16 Feb, 2016

But they have time to do a security health check and cure the flaws in connected medical devices

Hospitals are easy to hack – but that does not mean they are being actively targeted.

As more medical devices become connected to the internet, concerns around the consequences if they are hacked increase.

Indeed, the US FDA recently warned against a specific intravenous pump over hacking fears, while UK Chancellor George Osborne spoke last year of an alleged risk of terrorist cyber attacks on UK hospitals.

Sergey Lozhkin, a researcher at Kaspersky Lab, decided to test the theory that medical devices are easy to access from the web, noting how much modern doctors rely on medical technology.

“It’s a matter of trust,” he said, speaking at his company’s annual Security Analyst Summit in Tenerife last week.  “If there is a vulnerability in medical equipment, a really good doctor could make the wrong decision, even if he’s the best doctor.”

He searched online for medical equipment connecting to the internet from each hospital, finding plenty of leaks at a facility a friend of his worked at, including links to a web application from Siemens that let you log in to see data held by various equipment, then configure those devices.

Lozhkin did not need to hack that app, he said, because default passwords available in the manual were still in use, but said that the app itself did not have any vulnerabilities aside from being poorly configured.

The researcher drove over to the hospital, cracked the poorly configured Wi-Fi, and said he could have used the network access to view any machine in the building, from payment systems to MRI devices.

Not only could he see patient information, including image files of scans, but the software for the MRI gave access to a CShell scripting environment with no password or other security, letting him configure the machine – something doctors would never need to do, and something that should not be allowed, he said.

In short, it was “scary” how easy it was for Lozhkin to hack his own hospital. But how many hackers are actually targeting such data?

Hospital hack honeypot

Scott Erven, associate director at Protiviti, has been investigating that question for years. His latest research set up honeypots - fake hospitals with spoofed equipment - to see how many people tried to access them.

“It looks exactly like an actual system,” he said, noting Lozhkin came across a honeypot in his own research, and Erven could not help wondering if it was one of his own.

His fake equipment saw 55,000 successful logins using default or obvious credentials (think admin/admin), as well as “honey creds” - unique usernames and IDs - that were dropped on hacker forums to see if anyone used them, which happened eight times. There were also 25 intrusions that used vulnerabilities to access the system, and 300 unique malware samples that were dropped on the machines.

However, such activity was, as far as he could tell, bots searching for weak points in the web to scrape up credit card details, he told IT Pro on the sidelines of the conference.

“We didn’t see any indication that there were intentional, targeted attacks because it was a medical device,” Erven explained. “It’s random noise, it’s a bot, they’re going for credit card data, and they look for a vulnerability scanning the entire internet. It just gets caught up because it’s an XP system.”

In other words, over six months with ten honeypots, there were no attackers that appeared to be actively targeting his fake hospitals looking for medical data. That may be because such data is not easy to sell – it could be used for blackmail, and altering medical equipment could have dangerous effects, but hackers do not seem too keen on such activity yet.

“We didn’t see any indication that they had any idea of what kind of system they were on,” he said.

Erven said that while this is good news, there are still concerns. To start with, none of those devices have forensic evidence capture – they do not have logs – so if a targeted attack did happen, it would be difficult to spot. For example, the malware looking for credit card data could have triggered an unexpected response – such as shutting off a pump – and there would be no way of knowing.

Also, there is wider evidence that leaked medical data is being used to blackmail either patients or manufacturers, he said.

Hackers may be slow to target hospitals, giving them time to improve the situation. That is not easy as medical equipment faces a slow regulatory process and is in use for many years, but Erven said hospitals can start by removing the most dangerous equipment from external networks, telling IT to remove default credentials, improving Wi-Fi security, and only buying more secure equipment going forward.