Researchers find security holes in Philips health info management system

Tools

In yet another example of the dangers that accompany increased used of digital healthcare information, security vulnerabilities in Philips' Xper Information Management system were found at last week's SCADA Security Scientific Symposium in Miami.

Terry McCorkle and Billy Rios, Cylance researchers who previously found 98 easily exploitable vulnerabilities in SCADA products, according to an eSecurity Planet article, demonstrated the holes at the symposium. They said they were able to easily hack into a Philips medical information management system, and that a simple "fuzzer" (an automated software-testing tool) was used to gain privileged user status on the XPER system, which has weak remote authentication already, Dark Reading reported.

"Anything on it or what's connected to it was owned, too," Rios said at the conference, according to Dark Reading. He pointed out those vendors that develop electronic medical record and industrial control systems (ICS) products--including Siemens, Philips, Honeywell and GE--don't change their habits when it comes to security. "The mentality we see and the attitudes are exactly the same," he said.

According to SC Magazine, the "unpatched flaws within the Philips Xper systems" enabled McCorkle and Rios to, within two hours, gain remote root access.

"It was a very basic fuzz case," McCorkle said. "This [machine] manages other medical devices, and you can do anything you want to it once you're in. We were surprised how fast the [U.S. Food and Drug Administration] got involved."

With increased use of technology for healthcare purposes comes great responsibility to guarantee its security, as various data threats have remained prevalent in the beginning of 2013. Hackers, social media gaffes and malware all remain threats to the security of thousands of people's personal healthcare information.

In September 2012, the Government Accountability Office (GOA) reported that the Food and Drug Administration needed to pay more attention, in particular, to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps, including the threat of hacking and sabotage. GAO auditors noted that the FDA's current system for post-market adverse event reporting relies heavily on self-reporting from manufacturers, a method that Rios and McCorkle have shown is faulty and leaves out hundreds of possible security risks.

To learn more:
- check out the eSecurity Planet post
- read the Dark Reading article
- read the SC Magazine article

Related Articles:
4 health privacy threats that will freak you out
FDA must focus on protecting implantable medical devices from hacking

Filed Under