Thousands of hospitals — and the medical devices connected to their networks — have a serious computer security flaw that has left them vulnerable to hacking, according to information security analysts from Essentia Health.
Researchers Scott Erven and Shawn Merdinger said in a recent Wired article that their investigation revealed that many hospital network administrators have misconfigured the server message block (SMB) — a protocol for computers to identify and communicate in an internal network — in such a way that it broadcasts sensitive data externally via the Internet for hackers to exploit. This could make medical devices prone to hacking, which may endanger patients’ lives.
“We can exploit them with no user interaction … [then] pivot directly at the medical devices that you want to attack,” Erven said in the Wired article. Erven is head of information security for Essentia Health, an operator of 100 healthcare facilities in the U.S.
Via the security loophole, hackers can tap into a hospital’s network and into medical devices and equipment without being noticed. For instance, Erven explained that hackers can alter the settings of defibrillators, disabling them so that they fail to deliver a life-saving shock or causing them to deliver inappropriate shocks. Drug infusion pumps could also be easily manipulated remotely to deliver toxic doses to patients, and temperature settings for storage facilities of blood products could be tampered with, according to Erven.
The researchers said that a large healthcare organization with 3,000 doctors and 2,000 employees, which remained anonymous, was found to have been leaking data from as many as 68,000 systems connected to its network to the Internet for outsiders to see. They said they soon found out that many other organizations had the same problem.
“We started running organization searches to identify hospitals, clinics, and other medical facilities and we quickly realized this is a global health care organization issue,” Erven said in the Wired article. “This is thousands of organizations [that are leaking information] across the world.”
Because hospitals are connected to other hospitals, laboratories, pharmacies, and care providers, the security flaw could leave them vulnerable as well, the researchers said.
“It goes to show that health care [organizations are] very sloppy in configuring their external edge networks and are not really taking security seriously,” Erven said in the article.
Erven told Wired that the SMB security flaw is just one of many computer security issues facing healthcare organizations — their primary focus often on protecting data and complying with federally-mandated health insurance portability and accountability act (HIPAA) regulations. He suggested that these organizations “conduct penetration testing and vulnerability maintenance to really test their systems and secure them the way the security teams at banks and other financial organizations do.”
Last year, the U.S. FDA had warned hospital systems and medical device manufacturers to upgrade their security systems and safeguard against cyber threats. In an article in Reuters, William Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health, said that the vulnerabilities were largely unintentional, caused by “malware and computer viruses that were circulating in hospital computer networks and jumped onto the devices.”