14,000 medical devices are online, unsecured and vulnerable
Of the more than 14,000 IPs of exposed and vulnerable medical devices, health care login portals, and databases throughout the world, nearly half are found in the U.S., according to a report released Thursday.
Censys — a search platform that can identify internet-connected devices — scoured the public net and categorized the vast medical playground used by malicious hackers that partly explains why the industry is beset with so many attacks. The research found that just under half of the “Internet of Healthcare Things” (IoHT) devices found online belong to U.S. businesses — 6,884 or 49%. India is far behind in second place, with 10% of devices found online.
Censys researchers noted that the decentralized nature of the U.S. health care system is a likely reason why so many devices are online, drawing a comparison with the United Kingdom, its centralized health care system and its paltry 200 devices online.
Even so, while the findings focused on public interfaces and devices — with honeypots and false positives removed — other systems may not be as easily public but still vulnerable nonetheless, the research states.
The health care ecosystem has been under almost constant assault in recent years as cybercriminals take advantage of a system decimated by the COVID-19 pandemic. Combating ransomware attacks against hospitals has become a major national security priority for the Biden administration as the potential impacts can be dire. A recent extortion of Change Healthcare crippled the payment processing company and tens of thousands of pharmacies, highlighting the potential disruptions at risk.
The White House has pushed for additional cyber mandates for medical device makers recently as part of a broader effort to get manufacturers to introduce secure-by-design principles into their products before they go to market. A rule from the Food and Drug Administration went into effect last October that would require vendors to find and mitigate vulnerabilities. Congress, meanwhile, has legislation that would create cyber standards for health care providers.
But while cybercriminals have targeted health care systems for extortion and profit, the businesses using the systems could be doing a lot more to stem the flow of attacks as well, Censys research revealed.
Censys found that many of the networks of smaller health care organizations that provide critical services used residential ISPs. Additionally, many lacked basic security hygiene, with researchers finding weak credentials or unencrypted connections and misconfigurations.
“Smaller organizations can be more susceptible to attack because they are often less prepared to defend against sophisticated methods,” Censys wrote.
The most online devices were the communication protocols and web interfaces used for transferring and viewing medical images, called Digital Imaging and Communications in Medicine, or DICOM, Censys noted.
DICOM is both a format and a protocol used for scans like MRIs and CTs and connects radiology equipment with software for further analysis. It’s also a 30-year-old protocol that “wasn’t built with security in mind” and instead prioritized accessibility, Censys researchers wrote.
Most servers found online were deployed without firewalls or VPNs and belonged to independent radiology and pathology services providers or imaging departments at hospital networks, Censys found.
Additionally, login pages for medical records called Electronic Medical Records and Electronic Health Records made up of just under 30% of other exposed devices found online. Censys found more than 5,100 web-based applications that could contain sensitive data, such as complete medical histories or lab results, researchers noted.
“EMRs and EHRs are among the most frequently targeted assets in healthcare data breaches due to the vast amount of protected health information they store, including social security numbers, biometric data, contact information, and medical images — valuable data for malicious actors looking to profit on the dark web,” Censys noted, citing a U.S. Department of Health and Human Services document.
Other devices used to manage and use medical image software like DICOM were also identified in the report, as well as health care data integration platforms.
“The critical importance of implementing robust access controls, such as multi-factor authentication, is hard to exaggerate,” researchers wrote. “This is a must for securing sensitive systems like EMR/EHR platforms that must be accessible over the web.”