Healthcare devices exposed: over 1.2 million medical systems found misconfigured and accessible on the Internet

Cybersecurity company Modat is reporting that over 1.2 million internet-connected healthcare devices and systems worldwide are exposed on the open internet, endangering sensitive patient data. 

The study identified exposed systems ranging from MRI and CT scanners to X-ray machines, DICOM viewers, blood test systems, and hospital management systems. 

The geographic distribution of exposed healthcare systems is global: 

• United States over 174,000 exposed systems, 
• South Africa  172,000+,
• Australia  111,000+,
• Brazil  82,000+,
• Germany 81,000+,
• Ireland 81,000+,
• Great Britain 77,000+,
• France 75,000+,
• Sweden 74,000+,
• Japan 48,000+ exposed devices.

The research acknowledges that the data may include honeypots but the tens of thousands of devices can't be all argued away with honeypots.

The research also detected sensitive medical information accessible through these vulnerable devices:

• Medical imaging data - Brain scans, MRI results, CT scans, X-rays, and detailed diagnostic images
• Protected Health Information (PHI) - Complete patient medical histories and clinical documentation
• Personally Identifiable Information (PII) - Patient names, addresses, contact information
• Laboratory results - Blood test results, diagnostic test outcomes, and biometric data
• Specialized medical data - Eye examination results, dental X-rays, lung MRIs for cancer patients
• Treatment records - Medical procedures, diagnoses, and ongoing care documentation

One example exposed a patient's chest and brain MRI results complete with names and medical history, other cases exposed eye exams from opticians, dental X-rays, blood test results, and detailed lung MRIs commonly used to aid patients suffering from lung cancer. 

The research identified three key risks:

• Misconfigurations and Insecure Management Settings: Healthcare networks face increasing complexity as new devices and applications are continuously added to existing infrastructure. Many systems were found to lack even basic authentication methods. IT administrators are connecting devices to the internet for operational efficiency since it just works.
• Default and Weak Password Implementation: Researchers discovered numerous systems using factory-default passwords like "admin," "demo," "secret," "123456," "123456789," and manufacturing credentials readily available online.
• Unpatched Software Vulnerabilities: Many exposed systems were running outdated firmware or software with known security vulnerabilities. The research found that some devices had reached end-of-life status, so security patches are no longer available even when vulnerabilities are discovered.

Modat engaged in responsible disclosure by reaching out to international partners including Health-ISAC (Health Information Sharing and Analysis Center) and Dutch CERT Z-CERT to initiate the process of notifying affected organizations and assisting them in fixing these security breaches. 

It's not clear how many of these devices have been already accessed or compromised by malicious actors.