Today, Cisco's Talos security research group revealed five security vulnerabilities in NeuroWorks, a Windows-based software that is used in multiple electroencephalogram systems sold by Nautus. The Windows-based Natus Xltek NeuroWorks 8 software uses hospitals' Ethernet networks to connect to EEG devices and integrate with patient data systems, and it is vulnerable to attacks that could allow remote code execution—allowing an attacker to gain access to the data on the device and to other systems on the hospital network—and denial of service. The systems hosting the software could then be used to stage wider attacks on hospital networks.

Four parts of the software in NeuroWorks are vulnerable to buffer overflows that could be used by an attacker remotely accessing the system to drop commands into the memory of the console with crafted network packets. Another vulnerability allows for a remote attacker to execute a denial of service attack against EEG devices. Nautus has issued a patch for the bugs. Unfortunately, based on the previous history of vulnerable medical devices, it's likely that these systems will remain in use—unpatched—by hundreds of hospitals.

Crypto-ransomware attacks on hospitals over the past two years have heightened awareness of the dangers to many systems and shown how porous hospital networks really are. Hollywood Presbyterian and other hospitals were forced by ransomware attacks to turn away emergency room patients and shift back to paper charts while recovering from the attacks. Ransomware could affect many medical devices' embedded systems as well, since they are frequently based on older operating systems and are at even greater risk from malware or automated remote attack. And some devices that have been identified as being dangerously exposed to attacks have stayed in use despite warnings to hospitals from the United States Food and Drug Administration.

Hospira Symbiq infusion systems, which pump drugs directly into patients' blood streams, can still be found in many hospitals despite FDA warnings of their vulnerability to cyber attack issued in 2015. The very first recall of a medical device for security reasons—a pacemaker from Abbot's—was issued by the FDA in August 2017.

While attacking an EEG system won't necessarily harm a patient directly, the vulnerabilities described by Talos could be used to create a persistent presence on hospital networks for a number of malicious purposes, or to execute code that could install malware if the Internet is reachable from the system.