With the latest breach of the Heart Bleed Virus, many people are concerned their personal information may be at risk. Most people are making sure they are changing their passwords and checking websites for a possible information infringement. However, has anyone ever considered the possibility of hospital equipment being at risk? According to a recent article by Kim Zetter, “It’s Insanely Easy To Hack Hospital Equipment”, computers aren’t the only risk when checking for a security breach. In the article, Scott Erven, head of information security for Essentia Health, roamed around all the medical equipment used at a Midwest health facility.
Erven and his team discovered “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
Zetter even mentioned that in some cases, Erven’s team found the possibility of “blue-screening” devices and restarting or rebooting them to wipe out settings and allow any potential hacker to take down critical equipment in an emergency or crash all test equipment in a lab to factory settings. Erven stated “many hospitals are unaware of the high risk associated with these devices.” The proof is undeniable; hospitals need to step up and invest in security on hospital equipment just like they would for any other device with confidential information. People need to realize that a lot of medical equipment is considered a type of computer. For example having a strong password set on a defibrillator or medical monitor is just as important as having one on a computer.
Erven and his team found that infusion pumps, ICDs (implantable cardiovascular defibrillators) and CT scans were the worst problems in the hospital. His team found “a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers. With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive. Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.”
As for the implantable defibrillators, Erven explained that they found a couple of defibrillator vendors which used Bluetooth for writing configurations and doing test shocks when implanted or after surgery with default or weak passwords which were so simple one could simply guess and get connected to the device. According to the article, "Last spring, the FDA and DHS issued a notice to the health care industry about problems with hard-coded passwords in medical devices after two researchers found them in about 300 medical devices, including ventilators, pumps, defibrillators and surgical and anesthesia devices." Medical facilities aren’t aware that almost anything is hackable these days, which is why when it comes to security, you can never be too safe.
For more information regarding this subject please view this website to read a more in-depth look at hospital equipment vulnerability:
Zetter, Kim. "It’s Insanely Easy to Hack Hospital Equipment | Threat Level | WIRED." Wired.com. Conde Nast Digital, 23 Apr. 0014. Web. 25 Apr. 2014.