The next time you are in the hospital, remember this terrifying thought: It is actually pretty easy to hack into medical equipment.
Scott Erven, head of information security for Essentia Health, owner of healthcare facilities, shared his experience with Wired.com of finding out just how easy it was.
Neither Erven nor Essentia responded to requests for an interview.
While performing a study over a two-year period, he and his team found healthcare equipment including drug infusion pumps, Bluetooth-enabled defibrillators, digital medical records and temperature settings meant to regulate storage levels for blood and drugs, could all be remotely manipulated.
“Many hospitals are unaware of the high risk associated with these devices,” Erven told Wired last month. “Even though research has been done to show the risks, healthcare organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
He said the health care industry is just now realizing the security issues that can come from not protecting their equipment when it is connected to a network. Erven also said medical facilities may even use hardcoded passwords like “admin” and “1234.”
In 2012, MIT Technology Review reported Beth Israel Deaconess Medical Center in Boston found that 664 pieces of its medical equipment were running on older Windows operating systems that hospitals were not allowed to modify or change due to potential interference with U.S. Food and Drug Administration regulatory reviews.
The hospital’s chief information security officer said that led to computers acquiring malware and needing to be wiped every week, the report said.
Last year, the FDA announced a cybersecurity plan for medical devices and hospital networks after it said it became aware of “vulnerabilities and incidents” including:
- “Network-connected/configured medical devices infected or disabled by malware;
- The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
- Uncontrolled distribution of passwords, disabled passwords, hardcoded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
- Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.
But before you swear off medical procedures for good, there are things healthcare facilities can do. Many of the security solutions proposed include the ones you would normally hear: put controls in place to protect equipment from unauthorized users. However, Erven said that will only go so far, and vendors also needed to secure the devices before they sell them.
The FDA also recommended putting the network through evaluations on a regular basis and devising strategies in the event certain things happen. Device makers are also creating software patches, but most sources say not enough of them are doing it yet.
Cybersecurity changes quickly, so I guess we will have to wait and see if the healthcare industry can get ahead of it.
Reliable, encrypted backups can really help businesses move towards being more HIPAA compliant. Have a look at what StorageCraft ShadowProtect can do for businesses in the medical field.
Photo Credit: Wikimedia commons