Today at the 2024 Health-ISAC Fall Americas Summit, Censys shared the findings of cybersecurity risks affecting over 500,000 internet-facing assets in over a dozen healthcare organizations across the United States. This research underscores the pressing need for robust cybersecurity resources in an industry that navigates vast amounts of sensitive personal and medical data.
Examination of Critical Healthcare Infrastructure
In November 2024, Censys conducted an in-depth review of a dozen healthcare organizations nationwide. This analysis sheds light on systemic vulnerabilities in the healthcare sector, which has increasingly adopted digital tools such as telemedicine, mobile apps, patient portals, and big data analytics to enhance care delivery and operational efficiency.
“Over the past decade, we’ve witnessed a surge in the digitalization of healthcare systems to meet evolving patient and infrastructure needs,” said Himaja Motheram, Security Researcher, at Censys. “This has increased the complexity of healthcare security, introducing a wide range of data integration systems and third-party software that can be targeted by ransomware operators.”
Cyber Hygiene Gaps
The study found a number of critical gaps in cyber hygiene, including outdated software, weak encryption, and misconfigurations, which collectively increase the impact of cyberattacks.
The research identified misconfigured web services as the most pervasive issue across the sector. Expired, misconfigured, or missing security certificates and protocols—critical for safeguarding patient data—were prevalent. Additionally, many organizations hosted environments running end-of-life software, indicating poor asset inventory practices and significantly expanding their attack surface.
“The most endemic problem across the healthcare landscape is a lack of cyber hygiene in configuring exposed web services. The most concerning trends involve improper use of certificates, protocols, and content policies that should be used in conjunction to protect patient data, but are either expired, misconfigured, or missing altogether.” said Michael Schwartz, Director of Research and Threat Analysis at Censys. “Further complicating the matter are the number of apparent online staging environments running end-of-life software that may have been forgotten; this usually indicates an overall asset inventory problem and unnecessarily increases an organization’s attack surface. Critical and known exploited vulnerabilities are also present across the industry and again, may point to inventory management issues. Security misconfigurations, missing security policies, unpatched vulnerabilities, and end-of-life software are all targets for exploitation and are a recipe for unauthorized access to healthcare data and platforms. “
Within these findings, Censys saw:
Exposed Services:
Censys identified over 15 instances of exposed services, including RDP, TELNET, SMB, and SNMP, that could be at risk. These services are often targeted by attackers for different purposes—gaining unauthorized remote access (RDP, TELNET, SMB) or doing network reconnaissance (SNMP). The exposure of such services increases the attack surface of healthcare organizations.
Software Vulnerabilities:
Significant risks were identified in specific software systems, including known vulnerabilities in Ivanti Connect, Jenkins, Exim, and OpenSSH products. Notably, there were over a dozen instances of the critical Jenkins vulnerability CVE-2024-23897, a serious risk that is currently tagged in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Additionally, one organization had nearly 50 instances of Ivanti Connect Secure exposed, a product with an extended history of critical CVEs including CVE-2024-21894, CVE-2024-22052, CVE-2024-22053, and CVE-2024-22023.
“In the last year, we’ve seen a number of edge devices in particular targeted by threat actors,“ said Schwartz, referring to the number of critical vulnerabilities affecting some of the top firewall and VPN vendors.
MOVEit Exposures:
Last year’s MOVEit MFT vulnerabilities were widely exploited by ransomware groups, namely the CL0P Ransomware group. Censys monitored these exposures over the past year and found that 30% of the sample healthcare organizations still collectively have 24 exposed MOVEit instances. Given the scale of the exploitation campaign, even systems not directly vulnerable should not be exposed. This suggests that these exposed assets may be unknown or unmonitored by their respective organizations.
Revoked Certificates:
While the presence of over 800 expired certificates is concerning, Censys also detected 30 revoked certificates across different systems. Revoked certificates represent a more significant and urgent risk, as they are certificates that were marked untrustworthy before their scheduled expiration, often due to a compromise or vulnerability. If not properly managed, these can leave systems exposed to unauthorized access, and could signal larger issues with certificate and access management.
Issues such as weak TLS cipher selection, missing security headers, and inadequate authentication mechanisms were also prevalent. Additionally, several login pages and POP3 email services were found unencrypted, leaving sensitive data vulnerable to interception.
Medical Devices and Systems at Risk
The study revealed that healthcare organizations collectively exposed over 100 medical devices and systems to the public internet. These included EPIC EMR systems, NextGen Healthcare Mirth Connect, ResolutionMD PACS, and XERO Viewer medical imaging software. Alarmingly, a single vendor accounted for 90% of these exposures, raising concerns about supply chain risks in healthcare.
In previous research this year, Censys identified 14,004 unique IP addresses exposing healthcare devices and data systems connected to potentially sensitive medical information on the public internet.
“These exposures highlight the need for healthcare organizations to closely monitor their internet-connected medical devices and systems and consider securing them further with firewalls, network segmentation, and MFA,” said Motheram.
Information Sharing
Censys presented this research to organizations at the 2024 Health-ISAC Fall Americas Summit today, encouraging the industry to review gaps in asset inventory, security configurations, and incident response planning. By adopting proactive and comprehensive cybersecurity strategies, we can better protect patient data and operations in an increasingly digitized and targeted landscape.