Thousands of vulnerable medical systems posted online

Thousands of critical medical systems such as MRI machines, completely out in the open and vulnerable to a hacker's attack, have been exposed online, the media reported on Tuesday.

According to a report by The Register, more than 68,000 medical systems from a "very large” unnamed US organisation have been exposed. That institution has some 12,000 staff and 3,000 physicians, it says in the report.

“Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.”

This was all made possible through Shodan, a search engine for things on the public internet.

Security researchers Scott Erven and Mark Collao found the machines by using the Shodan service to target medical institutions.

"Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors," Erven said.

"Not only could your data get stolen but there are profound impacts to patient privacy."

Collao said that the vulnerabilities could be used to steal patient data and build up detailed intelligence on healthcare organisations, including the floors in which certain medical devices are housed.

"You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine," Collao said.

"[Medical devices] are all running Windows XP or XP service pack two … and probably don't have antivirus because they are critical systems."