Researchers have recently discovered that some of the devices used by major healthcare providers are still running outdated and legacy software. This serious security loophole can be easily exploited by hackers to move laterally across the target network.
What is the issue - In a detailed analysis, researchers at Check Point pointed out the risk associated with a vulnerable ultrasound machine. During their investigation, the researchers found that some of these machines were running on legacy software like Windows 2000, which is no more supported with security patches since July 2010.
This allowed the researchers to hack the machines and retrieve or alter records stored on them. They could also access patient images, alter the information displayed and infect the machines with ransomware.
“Due to old and well-known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images,” wrote the Check Point researchers.
Why it matters - Once the cybercriminals gain access to patients’ records, they can use them for various nefarious activities. They can use the stolen health records to get pricey medical services & prescription medications; and gain access to government health benefits.
Worse even, hackers can sell these records on infamous dark web forums for reuse and identity theft. This information can fetch as high as $60 per record on the Dark Web.
Why healthcare is a favorite target - Given the trove of personal information that hospitals and other health organizations hold, the sector continues to be a favorite target for the cybercriminals.
“Although there are many articles describing the personal danger of cyber attacks to patients, the financial damage is far more realistic and is what lies at the heart of cyber attacks on the healthcare industry,” researchers explained.
Apart from the loss of valuable data, a cyber attack on healthcare institutions can also lead to alteration of a patient’s medical information, hacking of MRI, ultrasound and X-ray machines.