News Feature | May 6, 2014

Hospital Equipment ‘Insanely Easy' To Hack

Katie Wike

By Katie Wike, contributing writer

Hospital Equipment Shown Easy To Hack

A team of researchers from Essentia Health has found their equipment is much easier to hack than they previously thought.

Essentia Health’s manager of information security, Scott Erven, and a team of researchers set out to test the equipment in their hospital to determine if it could be hacked, as well as assess the security of the devices overall. Over a period of two years, Erven and his team tested everything from drug infusion pumps to x-ray machines to EHR systems and found the technologies much easier to hack than they had expected.

Erven presented his findings of an internal security study at Thotcon 2014 in Chicago. “Many hospitals are unaware of the high risk associated with these devices,” Erven told Wired magazine in an article titled "It’s Insanely Easy to Hack Hospital Equipment." “Even though research has been done to show the risks, healthcare organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.

“There are very few [devices] that are truly firewalled off from the rest of the organization,” he continued. “Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”

Becker’s Hospital Review reports these devices had vulnerabilities stemming from weak user passwords, network interfaces that exposed vulnerable systems, and unsecured administrative access.

“A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record … so you would get misdiagnosis or get prescriptions wrong,” Erven explains. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”

Wired says the worst of the results came when the team tested defibrualtors that could easily be targeted. “We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” Erven says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”

Also at high risk were CT scans which could be hacked to change the amount of radiation a patient receives and involved infusion pumps which could be subject to random attacks with high collateral damage.