Are you secure? PACS, MRIs and other medical devices at risk of being hacked, says security experts
If you think your patients and patient information are secure from hackers, you may want to stop and take a closer look.
According to a presentation made by two security researchers at DerbyCon 5.0 in Louisville, Ky., many healthcare provider computer systems and medical devices in the U.S. are vulnerable to hackers.
Scott Erven, associate director of the global consulting firm Protiviti, and Mark Collao, security consultant for security company Neohapsis, investigated the types of information hackers could potentially have at their disposal and what they could do with that information.
Using the search engine Shodan, which finds computers based on software, operating software or other specific details, Erven and Collao found access to tens of thousands of hospital computer systems and medical devices. This included a “very large U.S. healthcare system” with more than 12,000 employees and more than 3,000 physicians. The system included 97 MRI systems, 323 PACS Systems, and hundreds of other devices.
Erven explained that most modern medical devices have three primary vulnerabilities: weak default administrative credentials, known software vulnerabilities, and the transmission of unencrypted data.
Collao briefly put on his “bad guy hat” and explained that hackers could take advantage of these vulnerabilities and learn a lot about a healthcare provider, including employee names and the exact office building and floor number where the equipment is located.
Even if a hacker doesn’t plan on “doing” anything with that access, Erven emphasized that it is still a serious issue for that potential to exist.
“It’s important to note that malicious intent is not a prerequisite for an adverse patient safety event,” Erven said.
Erven then said that sometimes it’s not even “attackers” who are hacking into devices. He shared the story of patients who were hooked up to an infusion pump while recovering from gunshot wounds. They felt they weren’t receiving enough medication. so they hacked into the device increased their own medication doses, and suffered serious overdose-like side effects as a result.
The Register initially reported on Erven and Collao’s presentation, going into more detail about the technical side of this dilemma.
Also, Erven and Collao’s full presentation is currently available on YouTube.