The data, which in some cases enumerates every computer and device on a hospital's internal network, would allow hackers to easily locate and map systems to conduct targeted attacks.
In at least one case, a large health care organization was spilling info about 68,000 systems connected to its network. At this and every other facility that was leaking data, the problem was an internet-connected computer that was not configured securely. Quite often, the researchers found, these systems also were using unpatched versions of Windows XP still vulnerable to an exploit used by the Conficker worm six years ago.
"Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit," says Scott Erven, one of the researchers, who plans to discuss their findings today at the Shakacon conference in Hawaii. "We can exploit them with no user interaction… [then] pivot directly at the medical devices that you want to attack."