Security researchers claim that at least 68,000 medical systems — like MRI scanners and infusion systems — from a “large, unnamed US health group” are accessible online for hackers to attack.
Researchers Scott Erven and Mark Collao explained at hacking conference Derbyco that they were able to access the interfaces of many medical devices using the search engine Shodan, which hunts specifically for internet-connected devices. The pair explained that through smart searches they were able to build up a detailed picture of devices used by the particular health organisation, including details about where medical devices were in a particular building.
It’s not just device data that’s available, though: the team reports that they were able to identify “direct attack vectors,” that could be used to steal patient data from the devices, too.
The team also explained that for six months they ran software that purported to be an MRI and defibrillator, as a honey pot for hackers. Over that period they observed thousands of attempts to log-in to the devices and 299 attempts to instal malware upon them, suggesting the same thing happens in hospitals around the world. That could be a problem because, as Collao explained to The Register, “[medical devices] are all running Windows XP or XP service pack two … and probably don’t have antivirus because they are critical systems.”
It’s not, of course, the first time that the digital security of medical instruments has been called into question. Malware is said to be “rampant” in hospitals, and earlier this year it came to light that hackers could hijack drug infusion pumps. Clearly something needs to be done — but knowing where to start is perhaps the biggest problem.
Image by Philip Dean under Creative Commons licence.