White hack exposes risk posed by connected devices

  • 31 May 2016
White hack exposes risk posed by connected devices

An ethical hack by an IT security provider of a private health clinic’s IT system has highlighted the vulnerability of internet connected medical devices.

The hackers, from Kaspersky Lab, were able to take control of medical devices and to hack the electronic patient record.

They say that this vulnerability could open the door to cyber criminals not only to lock down sensitive data and demand a ransom to unlock it but also alter it.

Kaspersky Lab Global Research and Analysis Team worked with the unnamed clinic to test the IT security. The research team used the Shodan search engine to identify hundreds of internet-connected devices – including MRI scanners and cardiology equipment.

Some of these devices were working on old operating systems such as Windows XP and had unpatched vulnerabilities. Some even used default passwords that appear in publicly available user manuals.

The team went on to gain access to the clinic’s network by exploiting a vulnerability in the wi-fi connection.

In a statement, the team explained: “Exploring the local clinic’s network, the Kaspersky Lab expert found some medical equipment that was previously found on Shodan.

“This time, however, to get access to the equipment, a password wasn’t required at all because the local network was a trusted network for medical equipment applications and users. This is how a cybercriminal can gain access to a medical device.

“Further exploring the network, the Kaspersky Lab expert discovered a new vulnerability in a medical device application.

“A command shell was implemented in the user’s interface that could give cybercriminals access to personal patient information, including their clinical history and information about medical analysis, as well as their addresses and ID details.

“Moreover, through this vulnerability, the whole device controlled with this application could be compromised. For example, among these devices could be MRI scanners, cardiology equipment, radioactive and surgical equipment.

“Firstly, cybercriminals could alter the way the device works and cause physical damage to the patients. Secondly, they could potentially damage the device itself at immense cost to the hospital.”

David Emm, principal security researcher at Kaspersky Lab, said the hack had highlighted vulnerabilities that could have devastating consequences if exploited by cyber criminals.

He said: “Cyber-criminals can exploit software vulnerabilities to steal patients’ data or infect the network with malware.

“Hackers can also alter the data in the patients’ electronic health records: turn a healthy person into a sick one or vice versa. They can change some test results or dose strength — and that can seriously damage patients’ health.

“It’s also possible to adjust medical devices in the wrong way and thereby break expensive equipment or — once again — hurt the patients who undergo treatment with the help of these machines.”

In the second of his columns for the Digital Health Cyber Security Hub, Davey Winder explores the risks posed by the Internet of Medical Things. Read about the scale of the challenge in features.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Alder Hey Children's NHS Foundation Trust has announced that the cyber attack it suffered last week has impacted two more hospitals.
Major cyber security incident declared at Merseyside hospital

Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.
Barts Health rolls out Cynerio cyber security platform

Barts Health rolls out Cynerio cyber security platform

Barts Health NHS Trust has rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.