back to article Thousands of 'directly hackable' hospital devices exposed online

Thousands of critical medical systems – including Magnetic Resonance Imaging machines and nuclear medicine devices – that are vulnerable to attack have been found exposed online. Security researchers Scott Erven and Mark Collao found, for one example, a "very large" unnamed US healthcare organization exposing more than 68,000 …

  1. chivo243 Silver badge

    All I can say is

    Clear!

  2. Ole Juul

    who's responsibility?

    all running Windows XP or XP service pack two

    Really? I don't travel in those circles, but surely this should be the land of QNX and *NIX variants. From this article it would appear that security hasn't even been a concern. Could it be that the buyers of medical equipment are not savvy enough to demand this?

    1. Rob Daglish

      Re: who's responsibility?

      Nope. XP Embedded on most of the kit I've seen, but some of the Carl Zeiss Meditec stuff has been upgraded to 7 now. My experience of working in healthcare was that people were more concerned with physical security (make sure no one can get into the room with the expensive equipment) than information security (make sure people can't access the expensive equipment over the network), but I'm sure all trusts varied.

      1. Sotorro
        Thumb Down

        Re: who's responsibility?

        Most hospitals I know are still in the process of copying 1984 physical paper data to disk.

        And with all the hospital staff installing/viewing games and facebitch etc on the hospital PC, it isn't too hard to get lateral movement inside the hospital LAN, once one PC is pwnd, especially when your password is in the top 10 like "god".

        No the machines that say "PING" are not really well protected against bitcoin-mining-scum, sadly.

  3. Crisp
    Flame

    That's bloody criminal!

    Do they not know or just not care? Either way it's only a matter of time before some radiology machine gets hacked and someone gets a lethal dose of radiation.

    It's not like they can plead poverty either. A decent IT staff costs a lot less than one doctor.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's bloody criminal!

      Having worked in the NHS in IM&T, i'd note that we did not have any involvement in purchasing multi million pound scanners with a 30 odd year lifetime. Most of them run XP, however they are easily secured by putting them on their own little network with an air gap to the hospital network.

      Some newer machines have their own login pages which allows 3rd parties (eg GP practices or other hospitals) to connect to it with a username and password so they don't need prints developing and then posting through the NHS internal post, as they occasionally fail to reach the end destination. Cracking one username would only give access to scans that user was authorized for and you can't actually get any form of remote access to the machine in the worst case: only the data from it.

      In the UK it's impossible to get access to anything in a hospital directly over the internet because hospitals don't have a connection directly to the internet; only through N3 which is essentially a national VPN with a single large pipe to the outside internet with some very paranoid people watching traffic passing though.

      1. AndrewDu

        Re: That's bloody criminal!

        "In the UK it's impossible to get access to anything in a hospital directly over the internet because hospitals don't have a connection directly to the internet"

        Well that may be the design, but experience suggests it's not the end result.

        Hospital network has trusted connection to GP surgeries (because it's convenient, obviously), and GP surgery has lots of unpatched and unmanaged PC's running who-knows-what and administered by any old temp sent round that week by the admin staff agency (OK, I exaggerate, but only a bit), and naturally there's an unprotected internet connection somewhere, again because it's convenient, and there you are, job done.

        Complexity combined with complete absence of technical knowledge somewhere in the mess, and your nice clean design just disappeared down the tubes.

        I've been there, I know.

  4. DocJames

    Nice to have confirmation of expectations

    I'm not surprised; hospitals are complex places with all kinds of random bits of kit. The manufacturers are busy selling them to the clinicians who are interested in usability, quality etc. No idea about security as that's not a big (read: nonexistent) part of medical school (and certainly wasn't in the 70s and 80s when those who are currently the buyers were students).

    The IT staff are all trying to keep the system running; no time to consider security.

    It's all very security through obscurity.

    1. Nick Ryan Silver badge

      Re: Nice to have confirmation of expectations

      True. The intersting point as well is that many of the systems supplied into hospitals are/were designed as utility systems and are not expected to be connected to the Internet. Unfortunately the lure and convenience of network connectivity for devices to communicate is strong and therefore many of these devices had network connectivity patched in later. Again, not the most serious of issues when within a trusted network however as soon as even one node is the network is not trusted, the entire house of cards falls down.

      There is also the very real point that these systems were sold to solve a problem, not sold as an ongoing maintenance burden for OSes to be continually updated, applications supported and defences put in place for changing connectivity. As such, many are "sell, install and forget" type systems.

      For what it's worth, when I was in this industry one of the first things I did was insist that our systems (often private networks) were segregated from the wider network through a hardware firewall which only permitted specific communictions through. While this doesn't protect our internal network from the situation where an engineer introduces a virus to one of the systems, it does protect the wider network. Many thanks to MS and their virus deployment auto-run scheme which even if you turned the bastard off, still auto-ran unless you had XP SP3 installed. Gits. However our internal network was also safe from whatever unpleasant things happened elsewhere and given the state of much of what we saw, we were very happy to be segregated.

      1. Peter2 Silver badge

        Re: Nice to have confirmation of expectations

        Re:- XP SP3 security- just use a software restriction policy and lock down anything whatsoever from executing outside of the required directories on the machine. Completely removes any danger from users being idiots.

        It's quick, easy and doesn't need anything that didn't come with windows and makes the box very secure if combined with a hardware firewall between the box and the network.

  5. buckyball

    Medical devices

    Are hard to develop and have steep hurdles to overcome in terms of safety and compliance testing before they can flog^h^h^h^h market them. Changes must likewise be scrutinized before release.

    I agree with earlier poster that questions the suitability of WinX for the task.

  6. cantankerous swineherd

    issues of informed consent here, anyone for radiotherapy?

  7. Doctor Syntax Silver badge

    Apart from anything else it would appear that if these devices are accessible on IPv4 addresses then the organisation has a stock of those addresses that it doesn't need. Given the shortage I'd have thought that their beancounters would have seen an opportunity here.

  8. Zog_but_not_the_first
    Facepalm

    Back-footed

    I was going to snark "To stop this - privatise the NHS immediately!" then I saw who the target was.

  9. ZSn

    MRI is NMR

    Not sure about your terminology when you say nuclear then NMR then MRI - you do know that MRI is just the same thing as NMR without the dreaded nuclear word. This just keeps the tree huggers happy because nuclear in this context does not mean radioactive but the tree huggers don't understand e that.

  10. pixelgeek
    Coffee/keyboard

    Would that it were true

    @ZSn There IS a subtle diference between the two. Due to that NMR tends to be used to analyse composition of materials We use one for this in the Faculty of Science where I work. We also have a small working MRI in the Physics department to demonstrate *it's* principles. see this URL http://www.physlink.com/Education/AskExperts/ae359.cfm

    Sadly Instrument makers world wide sell machines coupled with a computer running XP as a sales tactic in my view to get companies to buy newer equipment. Usually about 18 months after an instrument/device is purchased it, or the O/S that connects to it goes out of date but will not be warrantied unless the company supplies it. Thus you get charges of $11,000 for a replacement computer. and thats cheap and if you want to stay on XP. I've heard of $70,000 being charged for a computer.

    Upgrading to Win 7 or above can mean a whole new multi-million dollar instrument/device as well.

  11. Henry Wertz 1 Gold badge

    Why are these on the open internet?!?

    Title says it -- why are these on the open internet?!?

    Quite simply, specialized equipment (medical instruments, scientific instruments, "car computer" some auto shops have, to name 3...) should never be placed on the public internet. The OS itself will become increasingly out-of-date, and unlikely to have vendor patches for known vulnerabilities. And the application code, if it's fully custom it may or may not be following secure programming practices. If the application relies on some standardized libraries or web platforms or whatever, there could be more and more known exploits for these over time, which (again) may not ever be patched. You also don't have to worry about someone figuring out your admin password in bigguy 8-). I thought everyone knew this, I'm surprised to read about significant amount of hospital gear online.

    I've heard of newer equipment using Linux instead. I'd expect the Linux install itself to be plenty secure but if the device has any web access, or administrative port, or whatever open, you are then still at the mercy of whatever application code the device uses, and if this is secure or not. Of course out of the box security won't help if your password's bigguy 8-) . So needless to say I still would not put it directly online.

    1. toughluck

      Re: Why are these on the open internet?!?

      +1 for this. If it's on the open internet, why isn't there any form of two-factor authentication? Suppose you need a technician to dial into a device to do maintenance/collect data/whatever. Why not do it with an old-fashioned modem that you plug in only when needed? If it needs to be Ethernet, why not just unplug it when it's not needed and plug it back once it is, then unplug it again after it's no longer needed.

      That's just common sense, which is sorely lacking if somebody thinks it's a good idea to leave it open -- on the internet of all places. I could, but just barely, accept it open on the intranet with a gateway server somewhere (but with no default password, and with the intranet secured by a separate password).

      FFS, it's just complete basics!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like