How he hacked a hospital

By Digital News Asia March 29, 2016

Kaspersky Lab expert finds security weaknesses in health IT
Some systems and devices still running on Windows XP

KASPERSKY Lab said an expert from its Global Research & Analysis Team (GREAT) has conducted real field research at a private clinic in an attempt to explore its security weaknesses and how to address them.

Vulnerabilities were found in medical devices that opened a door for cybercriminals to access the personal data of patients, as well as their physical well-being, the company said in a statement.

A modern clinic is a complicated system, Kaspersky Lab noted. It has sophisticated medical devices that comprise fully functional computers with an operating system and applications installed on them.

Doctors rely on computers, and all information is stored in a digital format.

In addition, all healthcare technologies are connected to the Internet, so it comes as no surprise that both medical devices and hospital IT infrastructure have previously been targeted by hackers, the company said.

The most recent examples of such incidents are ransomware attacks against hospitals in Canada and the United States.

But a massive malicious attack is only one way in which criminals could exploit the IT infrastructure of a modern hospital, Kaspersky Lab said.

Clinics store personal information about their patients. They also own and use very expensive, hard to fix and replace equipment, which makes them a potentially valuable target for extortion and data theft.

The outcome of a successful cyberattack against a medical organisation could differ in detail but will always be dangerous, the company said.

The attack could involve the following:

The felonious use of personal patient data: The resale of information to third parties or demanding the clinic pay a ransom to get back sensitive information about patients;

The intentional falsification of patient results or diagnoses;

Medical equipment damage may cause both physical damage to patients and huge financial losses to a clinic; and

Negative impact on the reputation of a clinic.

“Clinics are no longer only doctors and medical equipment, but IT services too,” said GREAT senior researcher Sergey Lozhkin.

“The work of a clinic’s internal security services affects the safety of patient data and the functionality of its devices.

“Medical software and equipment engineers put a lot of effort into creating a useful medical device that will save and protect human life, but they sometimes completely forget about protecting it from unauthorised external access,” he added.

Exposure to the Internet

The first thing that the Kaspersky Lab expert decided to explore, while conducting this research, was to understand how many medical devices around the globe are now connected to the Internet.

Modern medical devices are fully-functional computers with an operating system and most of these have a communication channel to the Internet. By hacking them, criminals could interfere with their functionality.

A quick look over the Shodan search engine for Internet-connected devices showed hundreds of devices – from MRI (magnetic resonance imaging) scanners to cardiology equipment, radioactive medical equipment and other related devices – are registered there.

This discovery leads to worrisome conclusions – some of these devices still work on old operating systems such as Windows XP, with unpatched vulnerabilities, and some even use default passwords that can be easily found in public manuals.

Using these vulnerabilities criminals could access a device interface and potentially affect the way it works.

Inside the local network

The above-mentioned scenario was one of the ways in which cybercriminals could get access to the clinic’s critical infrastructure.

But the most obvious and logical way is to try to attack its local network, and sure enough, during the research, a vulnerability was found in the clinic’s WiFi connection – a weak communications protocol that allowed access to the local network.

Exploring the local clinic’s network, the Kaspersky Lab expert found some medical equipment that was previously found on Shodan.

This time however, to get access to the equipment one didn’t need any password at all because the local network was a trusted network for medical equipment applications and users.

This is how a cybercriminal can gain access to a medical device, the company said.

Further exploring the network, the Kaspersky Lab expert discovered a new vulnerability in a medical device application. A command shell was implemented in the user’s interface that could give cybercriminals access to personal patient information, including their clinical history and information about medical analysis, as well as their addresses and ID (identity) details.

Moreover, through this vulnerability, the whole device controlled with this application could be compromised, Kaspersky Lab argued.

For example, among these devices could be MRI scanners, cardiology equipment, radioactive and surgical equipment. Firstly, criminals could alter the way the device works and cause physical damage to the patients. Secondly, criminals could damage the device itself at immense cost to the hospital.

Kaspersky Lab experts recommend implementing the following measures to protect clinics from unauthorised access: