Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

itwbennett writes: At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like 'radiology' and 'podiatry' in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers. 'As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,' Erven said.

well, of course

[turkeydance]

every-damn-thing is, IF it's connected. once.

Re:well, of course

[Anonymous Coward]

It's not a vendor issue. Hospitals/practices should be using segregation in their networks, e.g.: VLANs. While there are use cases for accessing various medical equipment within the confines of the hospital/practice (monitoring, alarms, etc.) there's no reason they need access to the open internet.

Re:

[davester666]

How else can the doctor check your status from the golf course? Talking on the phone might disturb the other person while they are taking a stroke.

Re:

[nhat11]

Depend on the doctor, they could be so busy they could care less about security, it's more of the managers who run the hospitals that should be responsible for more security.

Re:

[Orestesx]

Managers are at the mercy of the doctors. Physicians control the balance in power. Sometimes even the CIO is a physician.

Re:

[jellomizer]

That is true, but hospitals like hiring yes men to manage their IT.
So Doctor will abuse the "Medically necessary" excuse for the quickest and easiest setup so they get to play with there new toys faster.
If the hospital hired more competent staff the doctors have fits and may leave the organization because we will not give them access to install Dropbox or allow there PC to use USB sticks.
Also MD for some reason feel like they are qualified to make such decisions as somehow there degree makes them qualified

DUH...

[Lumpy]

Most anyone that has dealt with these devices have known this for a decade. Almost all MRI machines are insecure in every way. Hell even the little drug dose meter boxes have an open serial port on them.

Re:

[Michael Woodhams]

But the people who have the power to change the situation either don't know, don't think it is important, or don't care enough to act. Research like this can change one of the above.

Re:

[Lumpy]

The real answer is that they do know and they don't care at all in any way. IT has been shown to them in plush meeting rooms on the big projector screen while they sit in their $12,000 chair. They are told about every problem and they just do not care in any way.

The fix is to make Hospital Administrators Personally liable for any data breach, and to allow suing the Executives and Board members of companies directly for selling highly vulnerable equipment.

Re:

[jellomizer]

The serial port can be secured with chewing gum.

this is the third time you posted this

[WillAffleckUW]

Meanwhile, Win 10 is pushing updates without asking that have bricked some computers.

Heck, would you like to post how any car since 1992 can easily be hacked remotely?

IT in health

[Anonymous Coward]

Speaking as a contractor that looks after a number of health organisation in Australia.
All devices that we are putting in are vlaned and have specific firewall rules so that
a. They can only contact the IP and port of the govt server that requires the information from the device.
b. Nothing on both the internal network and the external network cannot get access to it all.

Other than that, there is nothing we can do. The govt IT manages those devices including passwords.
We also have to deal with computer illiterate health professionals which certainly doesn't help with the whole situation.

I doubt it

[samantha]

Medical devices really get put through a very very anal (no pun intended, eww) process before receiving regulatory approval. While I am not claiming that processi s perfect they are some of the safest and most tamper and foolproof devices produced. So I conclude this article is basically FUD.

Re:

[polymath69]

If only.

I wear a few medical devices which talk to each other, and other things, wirelessly. I have seen firsthand that the main device can connect to a computer and obey a command to download its history without any indication showing on the screen, no beep or other indication that anything is going on. If it can do that without my permission, what else is it open to? Could it obey a command to, say, silently overdose me?

It is clear from my experience that these devices were designed with convenience in

Re:

[Anonymous Coward]

Totally not from a security perspective. The review process (at least here) is mostly how the device handles faults, how it is effective, and how it will not damage the patient.

Software review is basically providing a trace document that you make yourself and is rubber stamped. Security holes are exempt, since the device is only required to be resistant against accidental errors, not malicious things.

Send for CSI: Cyber :)

[nickweller]

"this show is amazing. it's like the howard the duck of tv shows. it's a show about technology that uses 0% real technology." ref [youtube.com]

Re:

[nickweller]

@Anonymous Coward: "And yet it's popular, it influences the public's perception of technology and will in turn influence lawmakers. No tech article, no website and no blog post will ever claim a hundredth as much. Old media is ripping the internet to shreds with a vengeance and nobody is going to stop them."

Mr. Robot [imdb.com] managed to be 'thrilling' and yet technically accurate at the same time. Except most techies don't want to bring down the financial system and have and invisible friend :)

Why is this a problem?

[maple_shaft]

Perhaps this is my failure to truly understand the scope of the problem, but where is the real motivation for hackers to compromise MRI machines and CAT scanners? Seriously. Why would somebody go to any level of effort and for that matter risk the felony charges that would come as a result?

I am not questioning that such a thing would be a violation of privacy. I am also not questioning that there is potential for serious harm to be maliciously done to or against somebody. I merely question the scope of t

Re:

[AchilleTalon]

So, you believe hackers are all acting rationally. How do you explain Mafia Boy and the likes? What did he gain from flooding Yahoo and other with a DDoS attack? Would you trust a medical result from a poorly protected medical device which may lead to a cancer diagnostic or something which in turn may lead to very bad, costly and inconvenient side effects? Hacking doesn't just mean the medical device is out of service, it can be much more subtle. You may just gather medical data to resell, blackmail, etc.

Re:

[CSG_SurferDude]

Multiple reasons why somebody would target these servers (BTW: I was at the talk. Their video is at http://www.irongeek.com/i.php?... [irongeek.com] . )

Anyways, IMHO, reasons:
1) As a gateway into the hospital so you can pwn servers to DDOS others
2) As a gateway into medical records so you can better phish, or possibly blackmail your targets

Re:

[hink]

That's exactly the problem - they can do it easily, and they might not get caught. The process can be scripted, then it can be automated to be done RAPIDLY. Perhaps even using a server inside the hospital.

Never underestimate the willingness of bored stupid self-absorbed idiots to do something that makes them feel powerful for little investment on their part.

There was an episode of Law & Order about this

[nintendoeats]

And I'm pretty sure it was made in the 90s.

consider what's required to change it

[Goldsmith]

Medical devices are highly regulated. Clinical trials are extremely expensive to run, and the FDA can demand new clinical trials every time you push through a software update. At the very least, you have to file with the FDA (for every single software update) a document demonstrating that nothing substantial was changed in the operating of the device.