Cybersecurity researchers hack patient monitor data stream, falsify vital signs

The data stream that transmits vital signs information from hospital patient monitors to a central hub can be hacked and falsified, according to cybersecurity researchers, highlighting new concerns about medical device vulnerabilities.

Using a patient monitor and a compatible central monitoring station purchased from eBay, members of the McAfee Advanced Threat Research team were able to emulate and modify data coming from a patient monitor, including heart rate, oxygen levels and blood pressure.

While the monitor itself was not directly affected, researchers found they could alter the information transmitted to the monitoring station, used by clinicians to oversee multiple patients at once. Altering the data to make it appear that a patient’s heart rhythm had either sped up or slowed down, for example, could prompt physicians to intervene or make medical decisions based on erroneous information.

“Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses,” Douglas McKee, a senior security researcher for the McAfee Advanced Threat Research, team wrote. The findings were presented at the DEF CON Hacking Conference in Las Vegas last week.

The cybersecurity team pointed to the American Heart Association’s decision tree, which calls for patients experiencing atrial tachycardia to receive medication.

“In the case of a network attack, this is medication the patient does not need and could cause harm,” they added.

While the attack requires more dedication and is riskier than a ransomware attack since it would require a hacker to infiltrate the hospital network, the vulnerability is “not far-fetched" and could have huge consequences, Steve Povolny, head of advanced threat research at McAfee, told FierceHealthcare. 

“The type of attack we’re talking about applies to a very specific target,” he said. “Most likely a political figure or celebrity and would take some significant risks to pull off and be a very motivated attacker.”

Even though researchers only tested one device, Povolny says there’s “a very, very strong likelihood” the same type of approach would work on other devices that track patient vital signs. 

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

While few attacks on medical devices have been documented, the cybersecurity industry has voiced mounting concern about the potential patient safety consequences. Earlier this year, Abbott issued a firmware update for 350,000 defibrillators with cybersecurity vulnerabilities, months after recalling pacemakers due to a similar issue.

Last week, Medtronic issued a warning about potential vulnerabilities associated with its insulin pumps and a patient monitor associated with implantable cardiac devices.

The McAfee report also highlights an ongoing battle over who is responsible for security medical devices, manufacturers or hospitals. Povolny says vendors are quick to absolve themselves of even basic security protocols like encryption and authentication, arguing that it is up to the healthcare system to fortify its network. But hospitals have been historically slow to implement necessary network protections.

“There are pockets of interest [in healthcare],” Povolny said. “Whether or not we’ll see major changes across hospital systems immediately, I’m skeptical of. We just saw how many hospitals still run ancient operating systems and protocols that expose them to WannaCry, Petya and Not-Petya.”