14 DAY TRIAL // Everybody knows that running old software isn't quite the best way to protect your computer and data, but you would really expect large organizations, such as hospitals and governments, not only to run to patch every security flaw in their software, but also to deploy additional technologies to keep themselves on the safe side.
That's not happening with hospital networks, two researchers have found, as many are running platforms vulnerable to exploits which can be used to launch targeted attacks and access patient data.
A story published in Wired and citing the findings of security researcher Scott Erven, who also works as head of information security for Essentia Health, reveals that hackers could easily break into all these computers if they found unpatched vulnerabilities still alive in old software.
Erven found at least a large health care organization, whose name hasn't been disclosed for obvious reasons, which was leaking details by mistake of approximately 68,000 systems accessing its network, all due to security issues. Weak security protection and unsupported operating systems, including Windows XP (which was apparently still powering MANY of these computers) are cited as the main causes of data breaches.
In case you're wondering what could happen if a hacker breaks into such systems, we're pretty sure that you won't see this coming. While in most cases cybercriminals would be able to access patient data and maybe some financial details, which by the way isn't at all a thing to be ignored, this time the situation is a lot more dangerous.
According to the same researchers, hackers could infect systems that are playing a key role to keep patients alive, such as the ones controlling pacemakers. This way, they could change the default settings of the systems and thus adjust the power used to administer test shocks to patients.
What's more, some computers are configured to automatically administer shocks in case the monitored patients need it, and we all know what could happen if someone changes these settings.
“Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit. We can exploit them with no user interaction… [then] pivot directly at the medical devices that you want to attack,” the security researcher explained.
“It goes to show that health care [organizations are] very sloppy in configuring their external edge networks and are not really taking security seriously,” Erven added. “We started running organization searches to identify hospitals, clinics, and other medical facilities and we quickly realized this is a global health care organization issue. This is thousands of organizations [that are leaking this information] across the world.”
It's still an enigma if IT administrators in charge of these systems are aware of what could happen in case someone breaks into their computers, but there's no doubt that this is actually one of the reasons Microsoft pushed so many organizations to upgrade to a different operating system capable of providing superior security to everyone.
25 percent of the world's desktop computers are still running Windows XP, which no longer receives updates and security patches since April 8, so the risks of getting hacked are obviously increasing every day.
And still, while data leakage is definitely a thing that nobody wants, there's absolutely no doubt that an unauthorized change of settings of a computer keeping somebody alive goes beyond everyone's imagination.