Thousands of 'directly hackable' hospital devices exposed online
Hackers make 55,416 logins to MRIs, defibrillator honeypots
Thousands of critical medical systems – including Magnetic Resonance Imaging machines and nuclear medicine devices – that are vulnerable to attack have been found exposed online. Security researchers Scott Erven and Mark Collao found, for one example, a "very large" unnamed US healthcare organization exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.
Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear. The healthcare org was merely one of "thousands" with equipment discoverable through Shodan, a search engine for things on the public internet. Erven, an associate director at Protiviti and who has five years of experience specifically securing medical devices, said critical hospital machinery is at the fingertips of miscreants.
"Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors," Erven said. "Not only could your data get stolen but there are profound impacts to patient privacy." Collao, of security consultancy NeoHapsis, said exposed networking gear and admin computers let attackers build up detailed intelligence on healthcare orgs, including the floors in which certain medical devices are housed...
- Tags:
- critical hospital machinery
- critical medical systems
- defibrillator machine honeypots
- direct attack vectors
- GE medical device passwords
- GE medical kit
- hospital devices
- magnetic resonance imaging (MRI)
- Mark Collao
- NeoHapsis
- nuclear medicine devices
- patient privacy Protiviti
- Scott Erven
- search engine for things on the public internet
- securing medical devices
- Shodan
- US healthcare organization
- Login to post comments