Connecting devices without thinking hits healthcare

Security basics fail to be ticked off as medical devices are hooked up and left open to the internet.

With medical devices failing to be secured, and attacks increasing by over 210 percent year-on-year according to McAfee, it would seem there really has never been a better time to want to hack medical equipment.

Writing in a blog post earlier this week, McAfee lead scientist and senior principal engineer Christiaan Beek detailed how easy it was to find medical imaging systems left open to the entire internet.

"Our eyebrows began to rise very early in our research, as we came across 'IE 6 support only' messages or ActiveX controls and old Java support; many of these products are vulnerable to a plethora of exploits," Beek said.

The security researcher said it was not only easy to find the outdated and exploitable software that many systems were using, but that some systems left their management interfaces open to the world.

Add into the mix the use of default passwords, unencrypted traffic between servers and clients, cross-site scripting, and remote creation of admin accounts, and one gets a glimpse of the security horror in wait for the medical industry.

SEE: Mobile device computing policy (Tech Pro Research)

After chaining enough vulnerable systems and exposed data together, Beek was able to print a 3D model of patients' body parts.

"When we began our investigation into the security status of medical imaging systems, we never expected we would conclude by reconstructing body parts," Beek said. "The amount of old software used ... and the amount of vulnerabilities discovered within the software itself are concerning.

"We investigated relatively few open-source vendors, but it begs the question: What more could we have found if we had access to professional hardware and software?"

Beek's sentiment was echoed by Cisco ANZ director of Enterprise Networking Rob De Nicolo, who told TechRepublic last week that organisations connecting all sorts of devices is scary.

"If you are hooked up to an infusion pump which is administering drugs to you, it would have traditionally been standalone; now that is connected to the IT network, it's communicating with the meds management database, which is telling it what dosage of drug to actually give you, and it all happens in an automated fashion," he said at Cisco Live in Melbourne.

"Patient-monitoring device, it's all fully connected these days, radiology [is] all fully connected, electronic health record, all this stuff, it's connected and in many cases, very, very mobile as well."

SEE: Digital transformation: A CXO's guide (PDF download) (TechRepublic)

According to De Nicolo, as much as healthcare is being changed by technology, there seems to be not enough thought given to the infrastructure that these devices are sitting upon.

"That's probably the scariest thing for me, people connecting stuff, and not necessarily thinking about the implications on the changing requirements that sit behind it," he told TechRepublic.

"A lot of these new devices aren't necessarily well-understood — so people don't necessarily have a really good understanding of what this thing does on the network. It's very hard to baseline its behaviour to know when it is operating as it should and when it is not."

With health commonly being the victim of governmental budget cuts in the developed world, it's hard to break the cycle of keeping the lights on, and rethinking how the network is built and run. De Nicolo said awareness was crucial because a lot of people don't realise how at risk they are.

"All of this stuff requires a rethinking of the way the network is actually built, and the way it is actually run, and the way it is secured," he said.

Practically, Beek had some advice to help administrators in the health sector.

"Employ a proper network design in which the sharing systems are properly secured," he said. "Think not only about internal security but also about the use of VPNs and two-factor authentication when connecting with external systems."

Disclosure: Chris Duckett travelled to Melbourne as a guest of Cisco.

Related Coverage

About Chris Duckett

Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...

Editor's Picks

Free Newsletters, In your Inbox