Security within the health care industry continues to get worse.
Health care has endured dozens of breaches in hospitals and insurance offices that put medical and other personal information of patients at risk. More recently, medical facilities have been the target of ransomware attacks that have knocked networks totally offline.
Now, the latest bit of news is the discovery of more than 1,400 security flaws discovered in CareFusion’s Pyxis SupplyStation automated medical equipment. More alarming is that these vulnerabilities are so easy to crack that even an inexperienced hacker can gain access. According to SC Magazine:
Out of the 1,418 remotely exploitable flaws, 715 of those vulnerabilities in ‘automated supply cabinets used to dispense medical supplies’ have a severity rating of high or critical.
Perhaps not surprisingly, the vulnerabilities are found in devices that continue to run outdated operating systems like Windows XP. According to the ThreatPost blog, the researchers who discovered the vulnerabilities said the flaws exist in a software version that hasn’t been updated since 2010. The blog went on to state:
Since CareFusion considers these vulnerable versions end-of-life, it has no plans to patch them, but is offering anyone still running them mitigations to reduce the risk of exploitation. The company is urging users to isolate the systems from the Internet, but if they have to connect them, it’s stressing they loop them through a VPN, monitor the network for any suspicious activity, and close any unused ports.
One of the security researchers who discovered the vulnerabilities, Mike Ahmadi, told ThreatPost that this is yet another incident of relying on third-party software without paying attention to potential security problems. I also think this situation shows that too many companies continue to take the risk of using outdated software rather than spending the money and dealing with the frustrations of upgrading to something new. Microsoft stopped supporting Windows XP two years ago, after all, and in the case of the CareFusion vulnerabilities, we are looking at software beyond XP.
We are reaching a critical point with security within the health care industry, and it appears to get worse, as we’ll see later this week. And I totally agree with what Zeljka Zorz wrote in the Help Net Security blog:
But with more and more researchers concentrating on finding vulnerabilities in medical devices and systems (systems found exposed online, sporting hard-coded passwords, etc.), it’s becoming obvious that cyber attacks can – and inevitably some day will – result in physical harm.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.