One of the experts from Kaspersky Lab's Worldwide Research and Analysis Group conducted field hacking in a private clinic in an effort to find out possible security flaws and ways to deal with them. Vulnerabilities have been identified in medical devices that have "opened the door" to digital criminals for access to patients' personal data and, more broadly, to their "prosperity". 
A modern clinic is a complex one system. Διαθέτει εξελιγμένες ιατρικές συσκευές που περιλαμβάνουν πλήρως λειτουργικούς υπολογιστές, με functional system and installed applications. Doctors rely on computers and all information is stored in digital form. In addition, all technologies in the Healthcare sector are connected to the Internet. So it's no surprise that both medical devices and hospital IT infrastructures have been targeted by hackers before. The most recent examples of such incidents are the ransomware attacks against hospitals in USA and Canada. However, a large-scale malicious attack is only one of the ways in which criminals could exploit the IT infrastructure of a modern hospital.
Clinics store their patients' personal information. They may also have in their possession and use very expensive, difficult to repair and replace equipment, features that make them a potentially valuable target for data blackmail and theft.
The result of a successful hacking against a medical organization could vary in detail, but it is always dangerous. Among other things, it could include the following:
- Malicious use of patient's personal data, such as the resale of information to third parties or the requirement for ransom payment by the clinic to retrieve sensitive information about patients
- Deliberate misrepresentation of exam results or diagnoses
- Damage to medical equipment that could cause both physical harm to patients and enormous financial losses in the clinic
- Negative impact on the reputation of a clinic
Report on the Internet
The first thing the Kaspersky Lab expert decided to investigate was understanding how many medical devices around the world are now connected to the Internet. Modern medical devices are fully functional computers with their own operating system. At the same time, most of them have a communication channel with the Internet. By hacking them, criminals could affect their functionality.
A quick look at the Shodan search engine for Internet-connected devices showed that hundreds of devices – from MRI scanners, to cardiac equipment, nuclear medicine devices and other related devices – are registered there. This discovery leads to disturbing conclusions. Some of these devices still "run" old operating systems such as Windows XP, which do not have the relevant patches for the vulnerabilities that have been discovered. Also, some of the devices still use the default passwords, which can be easily found in publicly accessible manuals.
Using these vulnerabilities, criminals could gain access to one's interface deviceand possibly affect the way it works.
Inside the clinic's local network
The above scenario was one of the ways digital criminals could gain access to vital clinic infrastructure. But the most obvious and logical way is to try to attack its local network. During the investigation, a vulnerability was detected in the clinic's Wi-Fi connection. Through a weak communication protocol, access to the local network was obtained.
Investigating the local network of the clinic, the Kaspersky Lab expert identified some medical equipment previously found in Shodan. This time, however, to gain access to the equipment, no one needed a password, because the local network was a reliable network for medical equipment applications as well as for users. And that's the way a digital criminal can access a medical device.
Investigating the network further, the Kaspersky Lab expert discovered a new vulnerability in a medical device application. A command shell was implemented in the user interface. The latter could give cybercriminals access to personal patient information, such as medical history and information about medical analyses, as well as their addresses and data their identity. Furthermore, the entire device controlled through this application could be compromised through this vulnerability. For example, among these devices could be MRI scanners, cardiac equipment, nuclear medicine devices and surgical equipment. What could this entail? First, criminals could change how the device works and cause physical harm to patients. Second, criminals could damage the device itself, causing a huge financial loss to the hospital.
"Clinics no longer consist only of doctors and medical equipment, but also of IT services. The work of the internal security services of a clinic affects the security of the patient's data and the functionality of its devices. Manufacturers of medical software and equipment make great efforts to create a useful medical device that will save and protect human life, but sometimes they completely forget to protect them from unauthorized external access. When it comes to new technologies, security issues need to be addressed in the first stage of the Research and Development (R&D) process. "Security companies in the IT industry could help at this stage, helping to address security issues." commented Sergey Lozhkin, Senior Researcher, Kaspersky Lab's Global Research and Analysis Team.
Kaspersky Lab specialists propose the following steps to protect clinics from unauthorized access:
- Use strong passwords to protect all external connection points
- Updating information security policies and developing early patch and vulnerability assessment systems
- Protect the applications of medical devices on the local network with passwords in the event of unauthorized access to the trusted site
- Protect infrastructure from threats such as malicious software and hacking attacks through a credible security solution
- Back up critical information on a regular basis and maintain an offline backup
More information about health insurance is available in a related blogpost, on the site Securelist.com.
