Newly unveiled findings from a 2-year audit of a chain of Midwest hospitals corroborated what many in cybersecurity have long said about medical devices: they are too often woefully lacking in digital defenses.
Everything from infusion pumps to defibrillators and X-ray machines were found easy to access, attack, take offline or otherwise manipulate in ways that could harm patients or compromise sensitive data. And many hospitals have no idea.
"Even though research has been done to show the risks, health care organizations haven’t taken notice," Essentia Health information security head Scott Erven told Wired. "They aren’t doing the testing they need to do and need to focus on assessing their risks."
Erven is not the 1st to tackle medical device security, but he’s one of few that have gained wide access to hospital technologies. He’s one of even fewer given the OK to make some of his findings public.
Erven declined to name specific brands or models most susceptible to attack, saying that he’s working with manufacturers to address some of the issues, but his list of grievances included security holes often cited by other researchers. Weak passwords, hard-coded vendor passwords and missing user authentication were among the primary concerns.
The Dept. of Homeland Security warned last year that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk included external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.
The FBI warned earlier this month that medical devices and other hospital and healthcare systems need some serious security upgrades to weather the coming onslaught of malicious hacking. With an impending deadline to shift to electronic medical records, which fetch a high price on the black market, healthcare systems are an increasingly alluring target for cyber-criminals.
Researchers at SecureState reported last year that their penetration testing found that devices such as IV pumps and X-ray machines are vulnerable to the fairly rudimentary form of attack. Earlier last year a pair of security researchers used a simple "denial of service" attack to demonstrate that a Philips (NYSE:PHG) Xper hospital management system could be infiltrated and "owned" fairly easily.
Not many device makers have spoken openly about their interest (or lack thereof) in digital defenses, but industry titan Medtronic (NYSE:MDT) has said on more than one occasion that medtech cybersecurity is a "high priority" for the company. Medtronic later reiterated its commitment in a manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.