Are you secure? PACS, MRIs and other medical devices at risk of being hacked, says security experts

If you think your patients and patient information are secure from hackers, you may want to stop and take a closer look.

According to a presentation made by two security researchers at DerbyCon 5.0 in Louisville, Ky., many healthcare provider computer systems and medical devices in the U.S. are vulnerable to hackers.

Scott Erven, associate director of the global consulting firm Protiviti, and Mark Collao, security consultant for security company Neohapsis, investigated the types of information hackers could potentially have at their disposal and what they could do with that information.

Using the search engine Shodan, which finds computers based on software, operating software or other specific details, Erven and Collao found access to tens of thousands of hospital computer systems and medical devices. This included a “very large U.S. healthcare system” with more than 12,000 employees and more than 3,000 physicians. The system included 97 MRI systems, 323 PACS Systems, and hundreds of other devices.

Erven explained that most modern medical devices have three primary vulnerabilities: weak default administrative credentials, known software vulnerabilities, and the transmission of unencrypted data.

Collao briefly put on his “bad guy hat” and explained that hackers could take advantage of these vulnerabilities and learn a lot about a healthcare provider, including employee names and the exact office building and floor number where the equipment is located.

Even if a hacker doesn’t plan on “doing” anything with that access, Erven emphasized that it is still a serious issue for that potential to exist.  

“It’s important to note that malicious intent is not a prerequisite for an adverse patient safety event,” Erven said.

Erven then said that sometimes it’s not even “attackers” who are hacking into devices. He shared the story of patients who were hooked up to an infusion pump while recovering from gunshot wounds. They felt they weren’t receiving enough medication. so they hacked into the device increased their own medication doses, and suffered serious overdose-like side effects as a result.

The Register initially reported on Erven and Collao’s presentation, going into more detail about  the technical side of this dilemma.

Also, Erven and Collao’s full presentation is currently available on YouTube

Michael Walter
Michael Walter, Managing Editor

Michael has more than 18 years of experience as a professional writer and editor. He has written at length about cardiology, radiology, artificial intelligence and other key healthcare topics.

Around the web

The patient, who was being cared for in the ICU, was not accompanied or monitored by nursing staff during his exam, despite being sedated.

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.