Medical IoT (IoMT) devices are left exposed to attacks because of outdated or legacy operating systems which, in many cases, are very easy to hack into and expose a throve of sensitive patient data, highly sought over on the black market.

In one instance, researchers from Check Point Research were able to find an ultrasound machine running a Windows 2000 OS which no longer receives security patches, leaving the machine vulnerable to a multitude of attacks.

The researchers demonstrated that, after infiltrating the ultrasound device by exploiting one of the vulnerabilities that impacted it, potential attackers could download the patient records stored within, edit and replace data on the machine, as well as infect it with ransomware allowing them to request a ransom to be paid to restore the medical data.

While this is just a single example of what threat actors can do if they gain access to IoMT devices that use legacy operating systems with numerous and easy to exploit vulnerabilities, it definitely shows the significant damages which attacks targeting health-related data can inflict.

Just last year, the UK Department of Health and Social Care announced that all National Health Service (NHS) computer systems will be transitioned to Windows 10 following more than a third of all NHS trusts being hit by WannaCry, with the attacks leading to the cancelation of roughly 7,000 medical appointments across the UK—including critical operations.

Medical data was also the target of threat actors which managed to breach the IT systems of Singapore's Ministry of Health (MOH) and steal the data of approximately 1.5 million citizens.

As explained by Check Point, "Such attacks could lead to loss and sharing of personal data, altering a patient’s medical information regarding medicine, dosages, etc and hacking of MRI, ultrasound and x-ray machines in hospitals."

Network segmentation as an extra layer of security

Unfortunately, while patching would be a simple way to mitigate these risks, medical devices that come with OSs which no longer receive security updates and the downtime that comes with the update process mean that, in most cases, these connected medical devices will remain vulnerable to attacks.

Additionally, as detailed in Check Point's report, "From a regulatory point of view, the inherent vulnerabilities that come with operating healthcare devices, such as a lack of encryption of sensitive data as well as hard-coded or default login credentials, prevent IT professionals from even implementing security patches, should such patches even exist."

The researchers recommend segmentation applied to both the network of healthcare organizations and to their staff as the best measure that can be taken to detect and prevent breaches and data theft.

Check Point concludes by arguing that "healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach. Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions while providing another layer of security to network and data protection, without compromising performance or reliability."

IoT devices increasingly at risk

The increasing number of unpatched vulnerabilities affecting IoTMs also impact IoT devices as a whole as confirmed by multiple reports raising awareness on the issue in 2019 alone.

Just last week, Windows 10 IoT Core devices were found to be exposed to remote command execution attacks which allow bad actors to run arbitrary code with SYSTEM privileges and without the need to authenticate.

The researcher who found the vulnerability also created an open source RAT tool dubbed SirepRAT that could be used to exploit the Sirep test service built-in "on any cable-connected device running Windows IoT Core with an official Microsoft image."

Two days later, Trend Micro showed in a report that outdated software on UPnP-enabled devices makes it possible for would-be attackers to exploit a wide range of vulnerabilities in UPnP libraries used by various daemons and servers reachable over the Internet.

During February, Avast revealed in its 2019 Smart Home Security Report that 40.8% of all smart homes come with at least one vulnerable device to remote attacks, with roughly a third of them stemming from outdated software with unpatched security issues, while about 66% are exposed by weak or default credentials.

Image credits: motionxcom