Security exec: Hospitals too lax about med device vulnerabilities

Hospital equipment is ridiculously easy to hack into, and the industry isn't doing enough to assess the risks, a security expert warns in an article at Wired.

Essentia Health, which operates about 100 clinics, hospitals and pharmacies in Minnesota, North Dakota, Wisconsin and Idaho, tested every piece of medical equipment it uses, and Scott Erven, its head of information security, calls the results sobering.

The results found how easy it can be to manipulate:

  • X-rays that can be accessed by outsiders lurking on a hospital's network.
  • Temperature settings on refrigerators storing blood and drugs.
  • data from devices being sent into EHRs that physicians rely on for diagnoses and prescriptions.
  • drug infusion pumps and defibrillators to work incorrectly or not at all.

The worst problems, according to the story, were with infusion pumps, implantable cardiovascular defibrillators and CT scans.

An array of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like "admin" or "1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.

"There are very few [devices] that are truly firewalled off from the rest of the organization," Erven said. "Once you get a foothold into the network … you can scan and find almost all of these devices, and it's fairly easy to get on these networks."

Even devices that aren't connected directly to the Internet are vulnerable if they're connected to internal networks. If a hacker uses a phishing attack on an employee's computer to gain access to the internal network, then it's just a matter of exploring that network for vulnerable systems.

While medical equipment is regulated for reliability, effectiveness and safety before going to market, the focus has not been on security--something that has to change, Erven says. 

The FBI has warned the healthcare industry this month about its vulnerability to cyberattack--something Boston Children's has been experiencing.

The recently identified security flaw in Microsoft's Internet Explorer could be a particular risk for healthcare organizations because so many still use Windows XP, which Microsoft no longer supports, according to The Wall Street Journal.

To learn more:
- read the Wired article
- find the Journal story

Suggested Articles

The Trump administration plans to work with the American Board of Family Medicine to study how health IT tools can be improved for doctors.

The Trump administration is planning to delay the compliance deadlines for information blocking regulations for a second time due to the pandemic.

A major hospital chain has been hit by a massive cyber attack that reportedly has taken down all of its IT systems.