Analysis of several security threats facing the medical industry in 2016

Analysis of several security threats facing the medical industry in 2016

At the beginning of 2016, the medical industry suffered from many security incidents, for example, ransomware attacks at the Los Angeles Hospital, ransomware attacks at a German hospital, patient monitors and drug administration systems, and attacks at the Melbourne Hospital. In 2016, just two months later, there were so many major security events, which are a very impressive and terrible trend.

In recent years, the IOT industry has emerged like a storm. From the security perspective, the medical equipment industry, as an important part of IOT, cannot be underestimated. Modern medical devices have been networked, and operating systems and applications rely entirely on computers (65-year-old Chinese medicine practitioners are forced to learn to use computers ). These devices are equipped with sophisticated technologies to help doctors better diagnose the disease. However, like other industrial systems, these devices only focus on optimizing medical technologies while ignoring network security. Vulnerabilities in the program design architecture, insecure authorization, unencrypted communication channels, and software may cause intrusion of medical devices.

Unauthorized access to the device will have a serious impact: not only stealing important user data, but also causing a major impact on the health and life of the patient. It is a terrible thing to simply intrude into hospital systems, steal private information from medical devices, and obtain access permissions from devices. Imagine a real target Attack: A hacker has full control over a medical device, and the diagnosis results and Treatment Measures can be controlled by hackers, that is to say, the patient's life and death power has been controlled by hackers.

 

At the Kaspersky Security Analysis Conference, we once demonstrated how to find a target Hospital, gain access to the Intranet, and control MRI devices (locate patient cases, personal data, and treatment processes) it is very simple. For the current medical architecture, it is not enough to simply solve the vulnerabilities in medical devices. It is already broken, and human-caused security protection is also in urgent need.

Unauthorized access

In fact, it is not difficult to find medical devices with vulnerabilities. As a common search engine (such as Shodan), thousands of medical devices can be found on the Internet, hackers can further discover online MRI scanners, cardiology devices, and radioactive medical devices. A large part of these devices still use the Windows XP operating system, and a large number of vulnerabilities that can cause remote access to the system are not updated. What's more, some devices always use the default password.

 

 

I conducted a penetration test on a hospital and found some gratifying results. Although some devices are connected to the Internet, they are well protected and do not use the default password, and the web control interface is not vulnerable. But I have to mention that there are still many equipment problems. If a hacker wants to access a system in a hospital, he will find other intrusion methods.

No limits on the local network

I drove to the hospital and found that there were many Wi-Fi access interfaces in the hospital. The problem was that their connection password strength was too low and they could be easily cracked. The Wi-Fi password can be used to access the Hospital intranet. after entering the Intranet, I also found some devices that are the same as those found on the internet, and I can connect them now, because the Intranet is the most trustworthy for these devices. Medical device manufacturers protect devices from being accessed by external networks, but the default internal network is accessible. This is a fatal error!

Application-layer Vulnerabilities

After connecting to the device, I can immediately access the control interface of the device. The patient's personal information, cases, and diagnostic information are at a glance. But this is not my focus. I found a shell command on the user interface to access the file system on the device.

 

 

In my opinion, this is a serious vulnerability in application software design. Even if remote access is not required, why should software engineers set a shell command on the doctor's interface? Obviously, such a shell should not exist. This demonstrates that you can protect your devices from intrusion, but not everything.

There is also a serious problem with the application software, that is, the operating system is still in the old version, and the patch is not updated. In fact, every hospital should have a professional security engineer to improve the system in a timely manner and check whether the equipment is operating normally and safely.

In recent years, medical facilities have suffered frequent hacker attacks, and their attack forms have become increasingly diverse, such as targeted attacks, ransomware attacks, and DDoS attacks. Medical equipment manufacturers and hospital technical teams should pay more attention to the security issues of medical equipment to avoid cyberattacks.

 

 

Security suggestions

Suggestions for hospital technicians:

1. Pay attention to attacks against medical facilities and check whether the medical facilities in your hospital are under the same attack;

2. Be familiar with technical security policies and promptly update patches;

3. Not only must hospital facilities be protected from external threats, but also from attacks from internal networks, because hackers may intrude into the Intranet Before intruding into the devices.