An Ontario hospital last fall accounted for over three quarters of the exposed and unusued IP addresses or connected devices among medical institutions around the globe, according to research conducted by two security vendors.
In a report released today by Trend Micro and the Health Information Trust (HiTrust) Alliance on problems with information security in hospitals, by using the Shodan search engine researchers found just over 69,300 exposed IP addresses or connected to devices linked to hospitals or clinics around the world. Of them, 58,320 were unused IP addresses belonging to an unnamed hospital in Hamilton, Ont.
Just because a device or protocol is exposed doesn’t mean the device has a vulnerability, the report makes clear. Still, the vendors alerted the federally-managed Canadian Cyber Incident Response Centre to warn the Hamilton hospital of the leakage.
“Unused IP addresses should not be exposed to the Internet in this manner,” says the report. “This is most likely the case of a misconfigured proxy or bad proxy administration that Shodan has found. The underlying risk is that there might be other device/system misconfiguration issues inside this hospital that hackers might discover and exploit to compromise the network.”
The unused IP addresses belonging to the Hamilton-area hospital were likely being stored for future assignment to connected devices, Greg Young, Trend Micro’s Ottawa-based vice-president of cyber security and cloud, said in an interview. However, an administrator poorly chose to put them in a domain called “unused.HOSPITALNAME.ca.”
“It’s almost like saying ‘here are the unoccupied rooms or doors that are not attended in our building,'” said Young. “It’s a really bad practice to say ‘these are the IP addresses we’re not using.” In addition, he said, it’s also a signal to a threat actor that other IP addresses in that range assigned to an organization are being used for something. That cuts a lot of the work down for an attacker.
While medical device compromise stories make sensational news, the report says, the probability of them being compromised is low. However, it adds, they could be used for a distributed denial of service (DDoS) attack on an institution — and finding such devices using Shodan was demonstrated to be easy. And, it warns, if the controllers for these
devices gets compromised with, for example, ransomware, the device will stop working.
The healthcare sector “needs to be more vigilant about is ensuring that the devices and systems it connects to the internet are not searchable publicly,” is one of the report’s conclusions.
It was just one of a number of problems at hospitals researchers discovered using Shodan, which can search for Internet-connected devices. These problems included exposed ports, databases, industrial controllers and — perhaps most alarmingly — electronic healthcare systems with patient records.
The researchers didn’t have to break into doctors’ electronic medical records (EMR) or hospitals’ electronic health records (EHR) of patients to see if these databases could be accessed. Shodan has an image search database for browsing screenshots that it has collected. Among the screenshots from EMR/EHR applications with patient information are some from virtual network computing (VNC) servers with authentication disabled, from pharmacy management systems and one from a patient scheduling/appointment system that contained patients’ diagnosis information.
“The silver lining is, over several days of device hunting in Shodan, we only found a handful of these systems online. The vast majority of medical systems/devices are properly protected and inaccessible to the public Internet.”
The report also warns hospitals to be wary about vulnerabilities in their supply chain — suppliers of hardware and software, Internet providers and the like.
Finally, the report does some threat modeling to identify cyber threats to hospitals through six attack vectors (not including insider threats). So it determined medical devices are at high risk of DDoS attacks, information systems are at high risk of DDoS, malware and vulnerability attacks, and hospital operations are vulnerable to spear phishing, DDoS, malware and vulnerability attacks.
The decision to omit insider threats may strike some as odd because hospital staff have been accused and sometimes convicted of criminal offences such as improperly accessing patient data. Better information access controls could stem this problem.
“Hospital networks are typically not set up as separate enterprise versus medical networks with a demilitarized (DMZ) in between for communications,” the report concludes. “In the simplest of cases, it may even be set up as a flat network. This opens up the possibility of device/system compromise via lateral movement from the point of entry in the network.”
The report makes a number of recommendations for hospitals including security awareness training for all staff, segmenting medical devices onto their own network, deploying deception technology like honeypots, and installing patch management software.
Young said to him one of the interesting numbers in the report was the small number of Digital Imaging and Communications in Medicine (DICOM) found exposed on the Internet in Canada (13) compared to the U.S. (438). DICOM is a standard used in transmitting medical image information from digital scanners and X-ray machines. That could speak to the involvement here by provincial governments in healthcare and their cyber security efforts, he said.
The state of IT security in Canadian hospitals isn’t clear because there hasn’t been a lot of research. According to HealthCareCan, which supports health and digital infrastructure, research, 86 per cent of respondents to its 2016-17 survey said that they had detected a breach or narrowly avoided an incident.
Hospitals were put on notice at least as early as 2013 that they are considered part of the country’s critical infrastructure when the Harper government issued the country’s first cyber security strategy. The sector has yet to create a national cyber information sharing body similar to the NH-ISAC (National Health Information Sharing Action Centre) in the U.S. However, in 2016 HealthCareCan and Public Safety Canada set up a steering committee in 2016 to discuss creating a national health sector network to focus on critical infrastructure issues.
In February HealthCareCan held a closed-door summit with hospitals and regional health authorities to discuss cyber security and privacy issues and how to share best practices. According to Jennifer Zelmer, who was a co-ordinator of the meeting, participants agreed to look into forming a “health community of practice” by next month.