Researchers Fear Thousands of Medical Devices Vulnerable to Cyberattack

POSTED OCTOBER 6, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

Recently, security researchers advised that thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients. The risks arise, in part, because medical equipment is increasingly connected to the Internet so that data can be fed into electronic patient records. Besides the privacy concerns, there are also safety implications if hackers can alter a patient’s medical records and treatment plans.

During the study, researchers located medical devices by searching for terms like “radiology” and “podiatry” in Shodan, a search engine for finding Internet-connected devices. Some systems were connected to the Internet by design, others due to configuration errors.  Once the medical devices were located it was revealed that many of them were still using the default logins and passwords provided by manufacturers. The researchers then studied public documentation intended to be used to set up the equipment and found some alarmingly lapse security practices. In particular, the same default passwords were used repeatedly for different models of a device, and, in some cases, a manufacturer warned customers that if they changed default passwords they might not be eligible for support. This was apparently because support teams needed the passwords to service the systems.

With regard to drug infusion pumps for delivering morphine drips, chemotherapy and antibiotics, researchers found that these devices could be remotely manipulated to change the dosage doled out to patients. In particular, they found a number of infusion pumps have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems were not password-protected. Others had hard-coded passwords, but they were weak and universal to all customers. Some other issues discovered included: Bluetooth-enabled defibrillators that could be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; x-rays that could be accessed by outsiders lurking on a hospital’s network; and temperature settings on refrigerators storing blood and drugs that could be reset causing spoilage.

The researchers were also able to access the network of one unnamed health provider and found detailed information about more than 68,000 devices, including host names, a description of what the equipment does, its physical location in the hospital and the physicians assigned to it. Thus, it was concluded that a hacker could easily use that information to craft a phishing attack — a targeted email that lures someone into opening a malicious attachment.

The healthcare industry is now starting to take steps to address these security issues. While the FDA has regulations for medical equipment related to reliability, effectiveness and safety, there are no such standards for security. Ultimately, the onus is on the healthcare manufacturers and providers to implement stronger passwords, monitoring, etc. to prevent a cyber breach that could potentially put both the safety and welfare of patients at risk.

Designed & Developed by Peak Seven