In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.
“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
Erven, who plans to present some of his findings today at Thotcon in Chicago, began his research after a security consultancy performing a penetration test on an Essentia Health network discovered some devices connected to the network that had security issues. This, combined with previous research done by other security experts showing problems with insulin pumps, defibrillators and hardcoded passwords in medical devices, prompted Essentia to take an extensive look at all of its equipment.
“A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record … so you would get misdiagnosis or get prescriptions wrong,” he says. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”
Some of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.
With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.
Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.
That’s not the case with implantable defibrillators, however, which could be targeted.
“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”
A fictional defibrillator attack had a prominent role in an episode of the TV show Homeland in 2012 but the risks of such an attack are real. Physicians for former Vice President Dick Cheney had the wireless capability of his defibrillator disabled in 2007 to prevent terrorists from conducting such an attack to kill him.