Two researchers examining the security of hospital networks have found many of them leak valuable information to the internet, leaving critical systems and equipment vulnerable to hacking.

The data, which in some cases enumerates every computer and device on a hospital's internal network, would allow hackers to easily locate and map systems to conduct targeted attacks.

In at least one case, a large health care organization was spilling info about 68,000 systems connected to its network. At this and every other facility that was leaking data, the problem was an internet-connected computer that was not configured securely. Quite often, the researchers found, these systems also were using unpatched versions of Windows XP still vulnerable to an exploit used by the Conficker worm six years ago.

"Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit," says Scott Erven, one of the researchers, who plans to discuss their findings today at the Shakacon conference in Hawaii. "We can exploit them with no user interaction... [then] pivot directly at the medical devices that you want to attack."

Attackers could, for example, infect one of these systems and use it as a launchpad to find and hack the control system that manages embedded pacemakers. Such systems, Erven says, generally require no authentication to administer test shocks to patients or to configure thresholds that determine when a shock is automatically administered. An attacker could therefore alter the settings that determine when a patient is going into cardiac arrest in order to administer shocks when they aren't needed or prevent life-saving shocks from occurring.

The data leak that makes it possible for hackers to locate vulnerable systems is the result of network administrators enabling Server Message Block, or SMB, on computers facing the internet and configuring it in such a way that allows data to broadcast externally. SMB is a protocol commonly used by administrators to help quickly identify, locate and communicate with computers and equipment connected to an internal network. With SMB, each system is assigned an ID number or other descriptor to help distinguish, say, the PC in a doctor's office from surgical systems in an operating room or testing equipment in a lab.

This kind of information should only be available to network staff. But the researchers found many hospitals had misconfigured the SMB service, allowing outsiders to see it as well.

"Health Care Organizations Are Very Sloppy"

"It goes to show that health care [organizations are] very sloppy in configuring their external edge networks and are not really taking security seriously," Erven says.

The vulnerability was uncovered by Erven and Shawn Merdinger, an independent health care security researcher and consultant, expanding on work Erven has done identifying vulnerabilities in medical devices and hospital equipment.

Erven is head of information security for Essentia Health, which operates about 100 facilities––including clinics, hospitals and pharmacies––in four states. He and his staff recently completed a two-year investigation into the security of all of Essentia's medical equipment.

Among other problems, they found drug infusion pumps—for delivering morphine drips, chemotherapy and antibiotics—that could be remotely manipulated to change dosages delivered to patients; Bluetooth-enabled defibrillators that could be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; and temperature settings on refrigerators storing blood and drugs that could be reset to cause spoilage.

At the time Erven's team conducted their research, they didn't know how many vulnerable medical devices were directly connected to the internet as opposed to simply being connected to internal networks accessible via the internet.

Erven and Merdinger set out to scan the internet to answer this question. They scanned for any systems using port 445—the port the SMB protocol uses to transmit data—and filtered for hospitals and other health care organizations while using keywords like "anesthesia" and "defibrillator." Within half an hour, they discovered a health care organization that was leaking information on 68,000 systems. The organization, which Erven would not identify, has more than 12,000 employees, 3,000 physicians and large cardiovascular and neuroscience institutions associated with it.

Among the systems with exposed data, the researchers easily identified at least 32 pacemaker systems in the organization, 21 anesthesiology systems, 488 cardiology systems, and 323 PACS systems—radiology systems for reading X-Rays and other images. They also identified telemetry systems, high-risk systems that are often used in infant-abduction prevention systems as well as for monitoring the movement of elderly patients throughout a hospital to ensure they don't wander off.

The problem went beyond this one organization. Because the health care organization's network was connected to third-party networks, data from those networks was exposed as well. Hospital networks often are connected to those of other providers, pharmacies and laboratories. Systems belonging to these other organizations can also be exposed to SMB data leaks if the hospital doesn't configure its own systems properly.

Although this organization was the largest one they identified with problems, they soon found others.

A Global Healthcare Issue

"We started running organization searches to identify hospitals, clinics, and other medical facilities and we quickly realized this is a global health care organization issue," Erven says. "This is thousands of organizations [that are leaking this information] across the world."

Most hacks involve multiple stages of reconnaissance and varying levels of penetration to reach critical systems and identify vulnerabilities. But in this case, the SMB data would allow an attacker to home in on vulnerable machines quickly instead of having to scan a hospital's entire network, searching for something interesting—an activity that runs the risk of getting them noticed.

On some of the networks that were leaking data, the system administrators had assigned names to the systems on their network—such as "Dr. Armstrong's office," or "cardiology defibrillator in OR1" making it even easier for hackers to identify specific systems for attack.

Armed with this information, as well as the research Erven had previously done to identify vulnerable hospital equipment, an attacker could craft a custom payload to target a specific brand of defibrillators or oncology equipment and send it to a hospital worker via a phishing email. The payload could then seek out the equipment on the network—using the SMB data—and execute its attack only on these specific devices. The attack could even be conducted to target a specific patient.

"The doctor's name doesn’t necessarily help an attacker," Erven says. "But when you know that this patient has an appointment with this doctor and I know this doctor uses this system, you could build a case for a major targeted attack and have more certainty of where you want to target."

Erven says the SMB problem is just one security issue that health care organizations are facing. He says the problems exist because the security teams at these organizations are too often focused solely on HIPAA compliance—checking off boxes to meet government regulations for protecting data—while failing to conduct penetration testing and vulnerability maintenance to really test their systems and secure them the way the security teams at banks and other financial organizations do.

In this case, the vulnerability could be easily fixed by simply disabling the SMB service on external-facing systems or reconfiguring it so that it only broadcasts data internally on the hospital's local network instead of broadcasting it out to the internet for hackers to see.