Head of information services for Essentia Health, Scott Erven, was recently given free reign to find security vulnerabilities in any device used in Essentia’s facilities (approximately 100 of them). He found that hospital equipment is incredibly hackable.
As more devices are connected to networks in hospitals to improve functionality and efficiency, they are also vulnerable to cyber attacks. The focus has always been on functionality and reliability–not on security.
We’re not just talking about HIPAA here. Medical records were included in what could be hacked, as were implantable defibrillators, surgical robots, ventilators, drug infusion pumps and refrigerators just to name a few.
Currently, hackers have the ability to manipulate medical record data leading to changes in treatment by the healthcare providers that depend on that data. They have the ability to unnecessarily deliver defibrillator shocks or interfere with necessary shocks. They could alter the rate of delivery of IV medications.
The problem has arisen from a basic lack of effort in creating security in these devices. Devices lack encryption and quality authentication protocols. Where there is authentication, it is often weak and hard-coded by manufacturers. This means that hospitals can’t change the passwords and they are often universal.
There are two problems here. The first is that hackers could obtain private medical data. The second is that patients’ lives are in danger. Although that might feel like an exaggeration, hackers currently have the ability to seriously hurt patients or prevent life saving treatment.
As much as these devices cost (a drug infusion pump can cost between $1000 and $5000), it surprising they are not more secure. It’s not as if device manufacturers would have to invest in the research and development of any new technology. There are plenty of high quality and well known security algorithms out there to provide adequate protection. Basically, these devices need to ensure that they are communicating with trusted devices (authentication) and make sure eavesdroppers don’t speak their language (encryption).