Study Reveals Security Holes in Hospital Equipment

Two-year study revealed how easy it is for individuals to hack medical equipment at hospitals.
Published: May 2, 2014

A two-year study at Essentia Health facilities revealed that it is easy for individuals to hack medical equipment at the hospitals.

Essentia Health operates roughly 100 facilities, including clinics, hospitals and pharmacies in Minnesota, North Dakota, Wisconsin and Idaho. The healthcare network commissioned Scott Erven, head of information security for Essentia Health in 2012 to look for security problems, Wired.com reports.

Erven found that drug infusion pumps, can be remotely manipulated to change to dosage given to patients and saw that blue-tooth enabled defibrillators can be controlled to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring.

Storage systems for X-rays, CT scans, refrigerators storing blood and digital medical records are also vulnerable for attack. Common security holes affecting most devices included:

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.
  • lack of authentication to access or manipulate the equipment
  • weak passwords or default and hardcoded vendor passwords like “admin” or “1234”
  • embedded Web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on them on a network

Erven and his team discovered that many of the devices are connected to internal networks that are accessible via the Internet. The use of the Internet gives hackers the opportunity to gain access to devices by infecting an employee’s computer via a phishing attack, and then explore the internal network to find vulnerable systems. If the hacker happens to be in the hospital, he/she can plug in his/her laptop into the network and attack susceptible systems.

Additionally, Erven notes that an attacker can collect data passing from medical devices to patient records, then replay it so that the same data gets passed into other records.

Part of the problem is that medical equipment has only been regulated for reliability, effectiveness and safety – not security. Erven notes that vendors who sell to hospitals must do more to secure the devices with encryption and authentication before selling them to customers. He also urges vendors to fix the ones that are currently in the field.

 

Posted in: News

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series