A malicious attack by malware or spear phishing on valuable data assets like PHI (protected health information) exploits known vulnerabilities and one of the most common vulnerabilities in medical devices and healthcare IT systems is default passwords.
“Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting a wide variety of medical devices. According to the report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. ICS-CERT has been working closely with the Food and Drug Administration (FDA) on these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations.” See http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
And nothing beats hard coded / default passwords in medical devices as a vulnerability for PHI data leakage exploits, whether its an attack by malware, attack by retrieving sensitive data from stolen devices or a software defect that enables an attacker to obtain unauthorized access and transfer sensitive data from the internal network.
The World’s Leaking Data Infographic created by LifeLock.com