Security researchers discovered an alarming finding when investigating a “large, unnamed US health group” recently, concluding that at least 68,000 medical systems — like MRI scanners and infusion systems — are accessible online for hackers to attack.
The major health organization, which will remain anonymous, was thoroughly explored and exposed by researchers Scott Erven and Mark Collao after they were able to access the interfaces of thousands of medical systems using the search engine Shodan.
Not only were they able to identify internet-connected devices, but the two also explained at hacking conference Derbyco that they were able to locate where devices were within a particular building.
Essentially, a hacker could go in and easily steal device data and more importantly, patient data directly from the vulnerable machines.
Collao explained to The Register, “[medical devices] are all running Windows XP or XP service pack two … and probably don’t have antivirus because they are critical systems.”