If you only knew the extent to which hospital systems can be hacked you would be shocked.  The lack of healthcare security measures across several domains is surprisingly absent.

Scott Erven, who works as head of information security for Essentia Health, and his team were given access to a chain of Midwest healthcare facilities for a study on healthcare security that spanned two years.  It’s not only information systems that are vulnerable, but medical device security as well.  The FDA had warned about this last year.

For example Scott and his team found that drug infusion pumps used for morphine drips and chemotherapy could be remotely accessed to change dosages.   Another example they found blue-tooth enabled defibrillators could be manipulated to deliver random shocks and prevent shocks from happening.

Even equipment such as refrigeration for storing drugs and blood can have the temperature altered.  Their medical reports could also be access and records edited or changed to alter a patients diagnosis.  Erven’s team was also able to blue-screen critical equipment to make it reboot and wipe out configurations.

Altlough Erven didn’t identify specific brands or companies, he didn’t mention there were common issues across all vendors.  One of the main problems was lack of authentication methods and secure passwords.  Also once a device was discovered on a network, it was easy to access web based configuration interfaces and change the settings.

Not only were some of the smaller devices such as pumps and defibrillators accessible but also CT scanners.  They were able to log in to the CT and change the radiation dosage.

Another issue they discovered was with embedded web devices that can communicate directly with EMR systems.

Read the original article on Wired.com.

You must be logged in to post a comment Login