Researchers Find Widespread Hacking Vulnerabilities in Medical Devices

The cybersecurity vulnerabilities risk patient safety and privacy.

Two security researchers are warning hospitals and the public that thousands of medical devices are vulnerable to hacking.

Researchers Scott Erven and Mark Collao said machines used in healthcare facilities, including MRI scanners, x-ray machines and drug infusion pumps, are at risk of being hacked, creating safety and privacy concerns, according to

The researchers gave their presentation at the DerbyCon security conference on September 26. To gather their information they searched for internet-connected devices using Shodan and studied documentation on setting up the machines, focusing on devices from GE Healthcare.

The vulnerabilities come from the rising number of medical devices connected to the internet and their lack of encryption. Collao and Erven said some devices are designed to be accessed through the internet while others have that feature as a design error.

The lack of security surrounding these devices is in some cases a result of insufficient security practices by manufacturers, who sometimes encourage hospitals not to change default usernames and passwords so they can more easily provide support for the devices.

Erven and Collao were also able to access information from medical devices that weren’t online by entering the machines’ network.

Campus Safety had previously reported that researcher Bill Rios found hacking vulnerabilities in Hospira’s drug infusion pumps. The FDA later issued a statement acknowledging one model of the pumps’ issues and urging hospitals not to use them.

Erven and Callao’s full presentation is shown below.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo