Sign up to our newsletter
Security researchers have discovered that vulnerabilities in thousands of critical medical systems have been disclosed online.
The Register reported that Scott Erven, from Protiviti, and Mark Collao, from NeoHapsis, found that many of these machines are at serious risk of being easily exploited by attackers.
One particularly severe example documented by the experts concerned a “very large” US healthcare organization, whose name remains undisclosed for obvious reasons.
Through Shodan, which describes itself as “the world’s first computer search engine that allows you to search the internet for computers”, they found that up to 68,000 of its medical systems had been revealed.
The fact that thousands of other institutions have similarly had their vulnerable equipment effectively put on display suggests that this is an important and timely finding.
“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Mr. Erven told the online news provider.“Not only could your data get stolen but there are profound impacts to patient privacy.”
“Not only could your data get stolen but there are profound impacts to patient privacy.”
Mr. Collao added that cybercriminals with access to such information could theoretically generate comprehensive intelligence on healthcare organizations.
So detailed could such insight be that they could even know what floor certain types of equipment and computers were based.
He commented that part of the vulnerability associated with medical-specific machines is down to their dated operating system.
Many are still using older versions of Windows, such as the now discontinued XP, which leaves them open to multiple attacks.
This is an apparently widespread problem in medical spheres, as WeLiveSecurity documented last month.
The security blogger Graham Cluley commented: “In short, if you’re still running Windows XP you’re not just taking an enormous risk, you’re being – in my opinion – negligent.”
For more detail, please check out the video below, which is of the presentation that Mr. Erven Mr. Collao gave on their findings.
Author Karl Thomas, ESET