Hospital Networks Are Leaking Data, Leaving Critical Devices Vulnerable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wired.com/2014/06/hospital-networks-leaking-data/

Two researchers examining the security of hospital networks have found many
of them leak valuable information to the internet, leaving critical systems
and equipment vulnerable to hacking.

The data, which in some cases enumerates every computer and device on a
hospital’s internal network, would allow hackers to easily locate and map
systems to conduct targeted attacks.

In at least one case, a large health care organization was spilling info
about 68,000 systems connected to its network. At this and every other
facility that was leaking data, the problem was an internet-connected
computer that was not configured securely. Quite often, the researchers
found, these systems also were using unpatched versions of Windows XP still
vulnerable to an exploit used by the Conficker worm six years ago.

“Now we know all the targeted info and we know that systems that are
publicly connected to the internet are vulnerable to the exploit,” says
Scott Erven, one of the researchers, who plans to discuss their findings
today at the Shakacon conference in Hawaii. “We can exploit them with no
user interaction… [then] pivot directly at the medical devices that you
want to attack.”

Attackers could, for example, infect one of these systems and use it as a
launchpad to find and hack the control system that manages embedded
pacemakers. Such systems, Erven says, generally require no authentication
to administer test shocks to patients or to configure thresholds that
determine when a shock is automatically administered. An attacker could
therefore alter the settings that determine when a patient is going into
cardiac arrest in order to administer shocks when they aren’t needed or
prevent life-saving shocks from occurring.

The data leak is the result of network administrators enabling Server
Message Block, or SMB, on computers facing the internet and configuring it
in such a way that allows data to broadcast externally. SMB is a protocol
commonly used by administrators to help quickly identify, locate and
communicate with computers and equipment connected to an internal network.
With SMB, each system is assigned an ID number or other descriptor to help
distinguish, say, the PC in a doctor’s office from surgical systems an
operating room or testing equipment in a lab.

This kind of information should only be available to network staff. But the
researchers found many hospitals had misconfigured the SMB service,
allowing outsiders to see it as well.

“Health Care Organizations Are Very Sloppy”

“It goes to show that health care [organizations are] very sloppy in
configuring their external edge networks and are not really taking security
seriously,” Erven says.

The vulnerability was uncovered by Erven and Shawn Merdinger, an
independent health care security researcher and consultant, expanding on
work Erven has done identifying vulnerabilities in medical devices and
hospital equipment.

Erven is head of information security for Essentia Health, which operates
about 100 facilities––including clinics, hospitals and pharmacies––in four
states. He and his staff recently completed a two-year investigation into
the security of all of Essentia’s medical equipment.

Among other problems, they found drug infusion pumps—for delivering
morphine drips, chemotherapy and antibiotics—that could be remotely
manipulated to change dosages delivered to patients; Bluetooth-enabled
defibrillators that could be manipulated to deliver random shocks to a
patient’s heart or prevent a medically needed shock from occurring; and
temperature settings on refrigerators storing blood and drugs that could be
reset to cause spoilage.

At the time Erven’s team conducted their research, they didn’t know how
many vulnerable medical devices were directly connected to the internet as
opposed to simply being connected to internal networks accessible via the
internet.

Erven and Merdinger set out to scan the internet to answer this question.
They scanned for any systems using port 445—the port the SMB protocol uses
to transmit data—and filtered for hospitals and other health care
organizations while using keywords like “anesthesia” and “defibrillator.”
Within half an hour, they discovered a health care organization that was
leaking information on 68,000 systems. The organization, which Erven would
not identify, has more than 12,000 employees, 3,000 physicians and large
cardiovascular and neuroscience institutions associated with it.

Among the systems with exposed data, the researchers easily identified at
least 32 pacemaker systems in the organization, 21 anesthesiology systems,
488 cardiology systems, and 323 PACS systems—radiology systems for reading
X-Rays and other images. They also identified telemetry systems, high-risk
systems that are often used in infant-abduction prevention systems as well
as for monitoring the movement of elderly patients throughout a hospital to
ensure they don’t wander off.

The problem went beyond this one organization. Because the health care
organization’s network was connected to third-party networks, data from
those networks was exposed as well. Hospital networks often are connected
to those of other providers, pharmacies and laboratories. Systems belonging
to these other organizations can also be exposed to SMB data leaks if the
hospital doesn’t configure its own systems properly.

Although this organization was the largest one they identified with
problems, they soon found others.

A Global Healthcare Issue

“We started running organization searches to identify hospitals, clinics,
and other medical facilities and we quickly realized this is a global
health care organization issue,” Erven says. “This is thousands of
organizations [that are leaking this information] across the world.”

Most hacks involve multiple stages of reconnaissance and varying levels of
penetration to reach critical systems and identify vulnerabilities. But in
this case, the SMB data would allow an attacker to home in on vulnerable
machines quickly instead of having to scan a hospital’s entire network,
searching for something interesting—an activity that runs the risk of
getting them noticed.

On some of the networks that were leaking data, the system administrators
had assigned names to the systems on their network—such as “Dr. Armstrong’s
office,” or “cardiology defibrillator in OR1″ making it even easier for
hackers to identify specific systems for attack.

Armed with this information, as well as the research Erven had previously
done to identify vulnerable hospital equipment, an attacker could craft a
custom payload to target a specific brand of defibrillators or oncology
equipment and send it to a hospital worker via a phishing email. The
payload could then seek out the equipment on the network—using the SMB
data—and execute its attack only on these specific devices. The attack
could even be conducted to target a specific patient.

“The doctor’s name doesn’t necessarily help an attacker,” Erven says. “But
when you know that this patient has an appointment with this doctor and I
know this doctor uses this system, you could build a case for a major
targeted attack and have more certainty of where you want to target.”

Erven says the SMB problem is just one security issue that health care
organizations are facing. He says the problems exist because the security
teams at these organizations are too often focused solely on HIPAA
compliance—checking off boxes to meet government regulations for protecting
data—while failing to conduct penetration testing and vulnerability
maintenance to really test their systems and secure them the way the
security teams at banks and other financial organizations do.

In this case, the vulnerability could be easily fixed by simply disabling
the SMB service on external-facing systems or reconfiguring it so that it
only broadcasts data internally on the hospital’s local network instead of
broadcasting it out to the internet for hackers to see.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!