Two security researchers are warning hospitals and the public that thousands of medical devices are vulnerable to hacking.
Researchers Scott Erven and Mark Collao said machines used in healthcare facilities, including MRI scanners, x-ray machines and drug infusion pumps, are at risk of being hacked, creating safety and privacy concerns, according to pcworld.com.
The researchers gave their presentation at the DerbyCon security conference on September 26. To gather their information they searched for internet-connected devices using Shodan and studied documentation on setting up the machines, focusing on devices from GE Healthcare.
The vulnerabilities come from the rising number of medical devices connected to the internet and their lack of encryption. Collao and Erven said some devices are designed to be accessed through the internet while others have that feature as a design error.
The lack of security surrounding these devices is in some cases a result of insufficient security practices by manufacturers, who sometimes encourage hospitals not to change default usernames and passwords so they can more easily provide support for the devices.
Erven and Collao were also able to access information from medical devices that weren’t online by entering the machines’ network.
Campus Safety had previously reported that researcher Bill Rios found hacking vulnerabilities in Hospira’s drug infusion pumps. The FDA later issued a statement acknowledging one model of the pumps’ issues and urging hospitals not to use them.
Erven and Callao’s full presentation is shown below.