One of the experts from Kaspersky Lab's Worldwide Research and Analysis Group conducted field hacking in a private clinic in an effort to find out possible security flaws and ways to deal with them. Vulnerabilities have been identified in medical devices that have "opened the door" to digital criminals for access to patients' personal data and, more broadly, to their "prosperity". 
Μια σύγχρονη κλινική είναι ένα πολύπλοκο σύστημα. Διαθέτει εξελιγμένες ιατρικές συσκευές που περιλαμβάνουν πλήρως λειτουργικούς υπολογιστές, με functional σύστημα και εγκατεστημένες εφαρμογές. Οι γιατροί βασίζονται στους ηλεκτρονικούς υπολογιστές και όλες οι πληροφορίες αποθηκεύονται σε ψηφιακή μορφή. Επιπλέον, όλες οι τεχνολογίες του τομέα της Υγείας είναι συνδεδεμένες στο Διαδίκτυο. Επομένως, δεν αποτελεί έκπληξη το γεγονός ότι και οι ιατρικές συσκευές και οι νοσοκομειακές υποδομές πληροφορικής έχουν υπάρξει και προηγουμένως στόχος των hacker. Τα πιο πρόσφατα παραδείγματα τέτοιων περιστατικών είναι οι επιθέσεις με ransomware προγράμματα εναντίον νοσοκομείων στις USA and Canada. However, a large-scale malicious attack is only one of the ways in which criminals could exploit the IT infrastructure of a modern hospital.
Clinics store their patients' personal information. They may also have in their possession and use very expensive, difficult to repair and replace equipment, features that make them a potentially valuable target for data blackmail and theft.
The result of a successful hacking against a medical organization could vary in detail, but it is always dangerous. Among other things, it could include the following:
- Malicious use of patient's personal data, such as the resale of information to third parties or the requirement for ransom payment by the clinic to retrieve sensitive information about patients
- Deliberate misrepresentation of exam results or diagnoses
- Damage to medical equipment that could cause both physical harm to patients and enormous financial losses in the clinic
- Negative impact on the reputation of a clinic
Report on the Internet
The first thing the Kaspersky Lab expert decided to investigate was understanding how many medical devices around the world are now connected to the Internet. Modern devices medicineThey are fully functional computers with their own operating system. At the same time, most of them have a communication channel with the Internet. By hacking them, criminals could affect their functionality.
A quick look at the Shodan search engine for Internet-connected devices has shown that hundreds of devices - from MRI to cardiology equipment, nuclear medicine devices and other related devices - are registered there. This discovery leads to worrying conclusions. Some of these devices still run old operating systems like Windows XP, which do not have the relevant patches for the vulnerabilities that have been discovered. Also, some of the devices still use the default passwords, which can be easily found in publicly accessible manuals.
Using these vulnerabilities, criminals could gain access to a device's interface and potentially affect how it works.
Inside the clinic's local network
The above scenario was one of the ways digital criminals could gain access to vital clinic infrastructure. But the most obvious and logical way is to try to attack its local network. During the investigation, a vulnerability was detected in the clinic's Wi-Fi connection. Through a weak communication protocol, access to the local network was obtained.
Investigating the local network of the clinic, the Kaspersky Lab expert identified some medical equipment previously found in Shodan. This time, however, to gain access to the equipment, no one needed a password, because the local network was a reliable network for medical equipment applications as well as for users. And that's the way a digital criminal can access a medical device.
Διερευνώντας περαιτέρω το δίκτυο, ο ειδικός της Kaspersky Lab ανακάλυψε μια νέα ευπάθεια σε μια εφαρμογή ιατρικής συσκευής. Ένα command shell υλοποιήθηκε στο περιβάλλον του χρήστη. Το τελευταίο θα μπορούσε να δώσει στους ψηφιακούς εγκληματίες πρόσβαση σε προσωπικές πληροφορίες των ασθενών, όπως το ιατρικό ιστορικό και πληροφορίες σχετικά με ιατρικές αναλύσεις, καθώς και τις διευθύνσεις τους και τα data ταυτότητας τους. Επιπλέον, μέσω αυτής της ευπάθειας θα μπορούσε να τεθεί σε κίνδυνο ολόκληρη η συσκευή που ελέγχεται μέσω της εφαρμογής αυτής. Για παράδειγμα, μεταξύ αυτών των συσκευών θα μπορούσαν να είναι μαγνητικοί τομογράφοι, καρδιολογικός εξοπλισμός, συσκευές πυρηνικής ιατρικής και χειρουργικός εξοπλισμός. Τι θα μπορούσε να επιφέρει αυτό; Πρώτον, οι εγκληματίες θα μπορούσαν να αλλάξουν τον τρόπο λειτουργίας της συσκευής και να προκαλέσουν σωματική βλάβη στους ασθενείς. Δεύτερον, οι εγκληματίες θα μπορούσαν να βλάψουν την ίδια τη συσκευή, προκαλώντας τεράστια οικονομική ζημία στο νοσοκομείο.
"Clinics no longer consist only of doctors and medical equipment, but also of IT services. The work of the internal security services of a clinic affects the security of the patient's data and the functionality of its devices. Manufacturers of medical software and equipment make great efforts to create a useful medical device that will save and protect human life, but sometimes they completely forget to protect them from unauthorized external access. When it comes to new technologies, security issues need to be addressed in the first stage of the Research and Development (R&D) process. "Security companies in the IT industry could help at this stage, helping to address security issues." commented Sergey Lozhkin, Senior Researcher, Kaspersky Lab's Global Research and Analysis Team.
Kaspersky Lab experts recommend the following measures for protection of clinics from unauthorized access:
- Use strong passwords to protect all external connection points
- Updating information security policies and developing early patch and vulnerability assessment systems
- Protect the applications of medical devices on the local network with passwords in the event of unauthorized access to the trusted site
- Protect infrastructure from threats such as malicious software and hacking attacks through a credible security solution
- Back up critical information on a regular basis and maintain an offline backup
More information about health insurance is available in a related blogpost, on the site Securelist.com.
