New threat intelligence research by Cynerio has revealed that certain passwords are repeatedly used across hospitals in different health systems, in every clinical setting, and across all departments and device types. The repeated use of identical passwords led to the discovery of numerous undocumented default passwords providing a backdoor into clinical networks and threaten the integrity of healthcare infrastructures.
Devices with default passwords can be anything from simple HTTP server interfaces to the management ports of critical medical devices. To make things trickier, many default passwords aren’t easy to identify: they’re not published in device manuals or Common Vulnerabilities Exposures (CVEs).
Default passwords are usually built into medical devices by manufacturers using generic IT protocols like FTP and HTTP. These generic IT protocols are required for standard (and necessary) device maintenance (OS updates, patches, etc.). Unfortunately, hospital IT and Biomed personnel are often unaware of when vendors communicate with devices to conduct maintenance and other services.
Default passwords leave essential IoMT devices wide open to attack. Although some of them are hardcoded, many can be updated by hospital IT and Biomed/CE personnel but remain unchanged due to concerns over affecting the warranty and interoperability of essential medical devices.
Many of these devices are mission critical in clinical environments and have a significant impact on patient care, from diagnosis to treatment (e.g. hemodialysis devices, CT scanners, fluoroscopy and MRI machines). If a default password allows entry to even one of these devices, the entire clinical workflow can be compromised.
To add insult to injury, default passwords are often reused across devices and any party—authorized or unauthorized—who gains access to one also gains access to every device using it and the data they store. Malicious players with access to IoMT devices may even gain control over the devices’ functionality, posing a direct threat to patient welfare.
The fact that medical devices are built with default passwords is an inherent risk to clinical networks. Even the vendors who developed the default passwords into the device for maintenance purposes pose a threat because they connect to devices without notifying IT or Biomed teams. If a device happens to be in use at the time, the maintenance procedure can slow down or shut down the device, disrupting patient care.
This lack of visibility into vendor and IoMT communications makes devices easy to exploit and provides unhindered access to the device that can:
Even if your clinical network is secured, unidentified and “hidden” default passwords constitute a path of least resistance and give unauthorized parties an easy way in. But the risk can be mitigated.
The first step to securing your network is identifying devices using default passwords. If the passwords are in active use, automated IoMT security tools can easily identify them by:
Some passwords are not actively used by existing network communications and can’t be detected with passive network solutions. These passwords pose a greater risk because they’re harder to find and, if known by attackers, may be specifically targeted for exploitation.
The best way to discover inactive passwords is to use an active scanner on your network. However, hospital security teams should be aware that actively scanning medical devices is inherently risky as it can affect device functionality and interfere with patient treatment. If you choose to actively scan your clinical network, it is important to use a medical-first security solution that considers device downtimes and maintenance schedules so as not to obstruct patient care.
Some passwords are hardcoded and can’t be changed, other mission-critical devices depend on default passwords for communications, but many of these can only be updated by the vendor as per warranty and service support requirements. These obstacles make it difficult for hospitals to mitigate the threat of default passwords, but network segmentation can mitigate the risk and secure your clinical network without needing to rely on password updates.
The right automated IoMT security tool can provide hospitals with a suite of information and compensating controls to help significantly minimize the clinical network’s attack surface and reduce overall risk with:
To learn more about how to secure your clinical ecosystem against default passwords and stay ahead of vulnerabilities new and old, contact Cynerio.
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.