Hospitals are patient zero for the Internet of Things infosec epidemic

[Read the post]


Great, more low-hanging fruit for nasty scumbags.

So, uh, jackpotting these drug safes. How does one go about it? Just asking so if I ever see one, I can warn people its not secure y’know…


Just retired from ten-odd years of being PACS administrator at a 350 bed hospital. Previously I had been in IT at the same hospital but for (ahem) hysterical raisins it was the dept. of radiology that owned the PACS there, not IT. So I moved over to radiology when I got hired to run the PACS and got very familiar with a lot of, y’know, networked things. Very expensive things.

None of these things could be accessed from the hospital’s wireless network. If you weren’t actually sitting at, say, the console of one of the MRIs, the only other way to get to it was via cat5. (Which is, of course, how all those devices sent their images to the PACS.) That goes for the portable imaging devices also. The techs often rolled their portable chest xray machines or ultrasounds or whatnot out into the house to do studies on patients who were too sick to come down to Radiology. When they were done, they had to roll their devices to an available wired network port to transmit their images to PACS. So at any rate wireless access to these things was not a threat.

We had a very good (IMHO) IT crew and a particularly good security engineer (Patrick Darden; if you ever stumble across this, Patrick, hi!) who set up our firewall-DMZ-firewall and built the always-up VPNs to external sites when these were needed. But other than the protection afforded by these I had nothing. None of the imaging devices had any on-board AV or intrusion detection systems or any of that, because none of the vendors ever certified their products as being able to work and play well with such stuff. The ones with Windows-based controller software (all the Si*mens equipment, of which we had lots, from CT scanners on down) didn’t even get Windows updates because the vendor always said “at your own risk, we don’t know if a given update will break your CT or not, and if it does, having us come and reload our software will not be free.”) I felt somewhat less worried about the other class of hugely expensive device, the MRI machines. These were all GE and ran on GEMS (for GE Medical Systems) Linux which, if you dug down a bit, turned out to be Redhat 8. But in all cases, if anything bad had got loose on our internal network it would have found million$ and million$ worth of networked THINGS that would have been sitting ducks.

Also, increasingly, the vendors started to pressure us to put their equipment outside our firewall so they could do remote machine diagnostics and service at their convenience instead of having to send field reps to our site to do them. So the machines ended up with IP addresses on the GE or Philips or Siemens corporate network and we had to poke holes in our firewall so that orders for studies could reach the machines from inside (where they were entered into the system) and more holes so the machines could transmit their images back inside where the PACS resided. If anybody’s corporate network had gotten the flu, so would their machine at our site. And if their bug had happened to be DICOM-aware (or even just know how to propagate itself through the DICOM protocol’s registered well-known port, which would of necessity be open) that would have been it for our nice clean internal network.

This did not happen to us while I was in charge. But, as Stephen Jay Gould liked to say, “Time converts the improbable into the inevitable.” I doubt a day went by when I didn’t nervously recall Prof. Gould’s aphorism half a dozen times.

Everything on my own home network has good up-to-date AV and HIDS and frequent manual Malwarebytes scans for a second opinion. Everything Win-based gets MS’s security patches (though I do tell it “notify me before downloading” so I get a chance to read up on the new KB numbers first before installing 'em, which prevented me from ever seeing that nasty Windows 10 nagware thing in my system tray.)

And my home network has nothing wireless on it AT ALL. Everywhere I might want network access I’ve got a wall port with cat5 routed through the crawlspace. I do have a Linksys Wireless-G router and once upon a time I did replace the stock firmware on this with DD-WRT just to see if I could without turning it into a little blue brick. But, that being established, I went right back in and disabled all the wireless shitecapabilities. I am absolutely not convinced that I understand wireless security well enough to be certain nobody can park in front of my house, jump on my wireless network, and use it to d/l kiddie porn and email death threats to the President and the FBI and the Secret Service think it’s me.


no OS updates and vendor remote monitoring are the default modus operandi for many (most?) healthcare device manufactures. a few weeks ago one of the vendors asked us to give inet access for teamviewer to an upatched Windows 2000 device computer. I didn’t know if I should cry or laugh.


This topic was automatically closed after 5 days. New replies are no longer allowed.