Cybersecurity experts conduct hacker test on medical devices

WASHINGTON (WUSA9) ---  Cybersecurity experts have found ways to hack into hospital equipment.    

A recent IT study exposed the vulnerabilities of technology used inside medical facilities. The study conducted by Independent Security Evaluators (ISE) tested the hackability of hospital software and medical devices keeping patients alive.

One of the 12 hospitals in the study was located in the Washington Metropolitan area.  Although the healthcare facilities volunteered for the study, the authors of the ISE research report kept the hospital names anonymous.

Ted Harrington, ISE executive partner, insisted the study's conclusions may be applied to medical facilities nationwide. 

"100% were found to have critical security vulnerabilities which, if exploited, could result in patient harm or fatality."
 
Over 24 months ISE was able to hack into and remotely control patient monitors and breathing tubes, according to Harrington. The study's hackers could trigger a false alarm that may prompt doctors and nurses to administer unnecessary and adverse treatment.  

In other instances Harrington said his team bypassed the online authentication process so that a medical device may be "weaponized" against a targeted patient such as a politician.  (No patient was put into harms way during the study. The hacking was conducted within a controlled setting.)

The recent ransomeware attack on MedStar Washington's Georgetown University Hospital showed a less sophisticated type of cyberattack, according to Harrington. The hackers demanded money in exchange for the safe return of patient data.  As of this writing, the hospital reported no patient data was compromised.

Patient data is just one section of overall patient health, according to Harrington. To fully protect against more sophisticated cyberattacks, medical software and devices need more safeguards against exploitative hackers.

ISE's study offers a blueprint on how to fix the problems. For one, the hospital should restructure itself so IT (information technology) and IS (information security) are separate departments working to safeguard the hospital and its digital components from cyberattacks. 
 
"...[H]ealthcare is a complex, highly regulated industry, in which it is often difficult to adapt quickly to evolving conditions. For these reasons, we felt compelled to create, publish and give away the blueprint outlined in our research. This will help a healthcare organization of any size plan for and execute the long term process of improving its security posture," said Harrington. 
 
Additionally, hospitals need to fund digital safety training for employees. To lower the risk of catching malware, basic instructions should be learned including "don't give out your password, back up your data to a hard drive and encrypt your data." 

David Finn, Health Information Technology Officer at Symantec, sits on the advisory board for the ISE report. He has been in the hospital industry for over two decades and sees a need to shift employee training. 
 
Hospitals provide training on how to wash one's hands. The battle against germs includes disinfectant spray at every hospital elevator.  But a bigger threat looms: the lack of basic IT competency when it comes to the hospital's digital tools.  

Hospital workers need more training on safer and proper use of work e-mail and websurfing on laptops and mobile devices, according to Finn. The proper practice would lower the risk of infecting software with malware. 
 
"It's a fundamental change in the business," Finn said of the healthcare industry. 
 
Reported by: Elizabeth Jia
WUSA 9 
 


JOIN THE CONVERSATION

To find out more about Facebook commenting please read the
Conversation Guidelines and FAQs

Leave a Comment