Healthcare News & Insights

Newest cyber security threat — your current medical equipment

Cyber threats to your hospital may not just be from computers. New research shows that most of your medical devices could be vulnerable to hackers. 

100277456The two-year study, which investigated how vulnerable medical devices are to cyber threats, uncovered some chilling results, according to a recent article by Wired which features Scott Erven, the head of information security at a midwestern health system.

Totally exposed

In the wake of the Heartbleed computer virus exposing hospital computer systems to hackers, Erven’s findings reveal that a lot of medical equipment is vulnerable to cyber threats. And regardless of brand, his research shows many devices have several security holes in common, allowing them to be hacked and manipulated.

For example: Drug infusion pumps and blue-tooth enabled defibrillators could be made to malfunction, CT scanner configurations and radiation exposure could be remotely altered, and data in electronic health records (EHR) could be altered through other hospital equipment.

What’s particularly frightening is that many of these attacks wouldn’t require a ton of effort from hackers.

Although the devices may not have internet access, they’re still connected to a hospital’s internal network, which could be accessed from an employee’s computer. A hacker could infect a computer with a phishing attack or through other exposures, like the Heartbleed virus, and comb internal networks for vulnerable devices. An on-site hacker might have an even easier time — they could just plug a laptop into a hospital network and have a field day stealing data or causing equipment to malfunction.

As Erven’s team found, many devices are embedded with web service, which lets devices digitally communicate with each other and send data directly into an electronic health record (EHR) system. According to Erven, “A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the information that gets fed into the medical record,” which could cause physicians to misdiagnose patients, prescribe the wrong medications or provide other unneeded or harmful treatments.

Other issues Erven found were related to a lack of authentication to access or use equipment and weak or default passwords hardcoded into devices. Having authentication, stronger passwords for device access or better encryption in place could help protect devices from outside access, which in turn could prevent further data breaches.

Put pressure on vendors

As Erven notes, many of these security threats are just now coming to light, since medical equipment isn’t usually tested for security before hitting the market. Currently, regulations only cover equipment reliability, effectiveness and safety — not security.

Beyond finding security risks in medical equipment, facilities may have a hard time securing devices on their own. However, they can put pressure on their vendors to address security issues, like adding encryption and authentication.

Some vendors claim that they can only do so much to secure systems. For example, vendors might say they can’t change hardcoded device passwords without sending the device to the FDA for approval. However, Erven explains that the FDA medical equipment guidelines include a cyber security clause that allows devices to be patched or reconfigured without FDA recertification.

Hospitals can also look for ways to secure their internal networks from outside threats by utilizing encryption for hospital computers or mobile devices. It may also be worthwhile to have strong policies on device use and protected health information sharing to guard against potential hackers.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.