Study Reveals Security Holes in Hospital Equipment

Two-year study revealed how easy it is for individuals to hack medical equipment at hospitals.

A two-year study at Essentia Health facilities revealed that it is easy for individuals to hack medical equipment at the hospitals.

Essentia Health operates roughly 100 facilities, including clinics, hospitals and pharmacies in Minnesota, North Dakota, Wisconsin and Idaho. The healthcare network commissioned Scott Erven, head of information security for Essentia Health in 2012 to look for security problems, reports.

Erven found that drug infusion pumps, can be remotely manipulated to change to dosage given to patients and saw that blue-tooth enabled defibrillators can be controlled to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring.

Storage systems for X-rays, CT scans, refrigerators storing blood and digital medical records are also vulnerable for attack. Common security holes affecting most devices included:

  • lack of authentication to access or manipulate the equipment
  • weak passwords or default and hardcoded vendor passwords like “admin” or “1234”
  • embedded Web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on them on a network

Erven and his team discovered that many of the devices are connected to internal networks that are accessible via the Internet. The use of the Internet gives hackers the opportunity to gain access to devices by infecting an employee’s computer via a phishing attack, and then explore the internal network to find vulnerable systems. If the hacker happens to be in the hospital, he/she can plug in his/her laptop into the network and attack susceptible systems.

Additionally, Erven notes that an attacker can collect data passing from medical devices to patient records, then replay it so that the same data gets passed into other records.

Part of the problem is that medical equipment has only been regulated for reliability, effectiveness and safety – not security. Erven notes that vendors who sell to hospitals must do more to secure the devices with encryption and authentication before selling them to customers. He also urges vendors to fix the ones that are currently in the field.


If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo