2016 / 22 July

Hospitals and Medical Devices Woefully Unprepared for Hackers – A Chilling Reality!


If you or your loved ones have been hospitalized anytime in the past several years, chances are they’ve been exposed to one or more potentially life threatening cyber security vulnerabilities.

I’m guessing that may come as a surprise to many of you. It’s not a scare tactic. It’s harsh reality that will seem almost to big to swallow for some people.

While the mainstream media has been steadfast in their coverage of major cyber security attacks on companies like JP Morgan, Sony, Target, Anthem and a litany of others, there is an even more sinister and potentially deadly threat that has largely escaped the public’s attention.

A recent article published by Bloomberg Business, entitled “It’s Way Too Easy to Hack the Hospital”, exposes a number of serious cyber security vulnerabilities facing hospitals and medical device manufactures.  The simple truth is that hospitals and medical device manufactures are farbehind the curve when it comes to adequately protecting their networks and the slew of connected devices now routinely used to treat patients.

I am not suggesting that you should avoid hospitals or obtaining any necessary medical care, but here are just few of the startling revelations that are worth keeping in the back of your mind:

  • Cyber security engineers demonstrated the ability to remotely penetrate and take complete control of networked infusion pumps.  These are the automated pumps that monitor and administer intravenous medications. “White hat hackers” were able to simulate changing the dosage and even rapidly injecting an entire vial of medication.
  • At least one engineer demonstrated the ability to remotely hack a pacemaker and reconfigured it to deliver a dangerous shock.
  • In an audit of more than 60 hospitals, 100% of them were found to have medical devices infected with malware.  Not only is this potentially dangerous it is also a mechanism for stealing medical records and the identities of patients as well as healthcare employees.
  • Real malware was detected specifically designed to steal patient medical data and related identity information.  Patient medical data is highly valued on the black market – even more so than stolen credit cards – because it enables criminals to thoroughly steal your identity in ways that are far more difficult to detect.
  • In addition to command-and-control malware, ransomware designed to restrict a user’s access to his or her medical records were found, potentially allowing hackers to demand payment to restore access.
  • A recent KPMG survey indicated that 81 percent of health information technology executives said their computer systems at their workplaces had been compromised by cyber attacks within the past two years.
  • Access to drug cabinets can routinely be circumvented by default passwords built into these devices.  In some cases, default passwords are “hard wired” into the devices and cannot even be changed.

Not surprisingly, the problem is not getting any smaller.  The medical device and health records industry is massive and continues to grow rapidly.  By 2016, the medical device market is expected to reach $133 billion.  The consumer oriented wearable medical device market is expected to reach $5.8 billion by 2019 and the electronic health record industry is set to top $9.3 billion by the end of 2015.

So, what needs to be done?

Clearly, from technology perspective, there is much that can and needs to be done just in terms of implementing best practices at hospitals when it comes to integrating networked medical devices.  Properly architected networks, firewalls, intrusion monitoring etc. along with routine security audits are critical.  Incidentally, this issue goes well beyond just hospitals and applies to the entire ecosystem of what is now commonly referred to as the Internet of Things (IoT).   If you aren’t sure what IoT means, go eyeball your DVR, broadband router, home security system, remote-controlled thermostat, newer major appliances, and even the electrical meter on the outside of your house.  You might be surprised by the number devices just in your own home that are networked one-way or another.

Looking beyond how these devices are connected in hospitals or even in your own home, the weakest link in the security chain often comes down to the credentials used to access these devices.  By credentials I mean usernames, passwords, and pin numbers.

Passwords in one form or another have been used since the dawn of civilization to identify people and protect secrets — particularly by the military. And for thousands of years, they have been routinely compromised through trickery, coercion, and sometimes outright brute force.  

You’d think we would come up with a better solution, right?!  The chief problem is that passwords inherently involve “something you know”.  And if you know it, so can someone else.  Replacing or augmenting passwords with “who you are” is a far better solution.

What I’m talking about is biometric identification. Facial, iris, fingerprints, voice, etc. Pick your flavor or use them in combination. If you’re not familiar with BluStor’s personal biometric identification and data security solution,  I encourage you to take a peruse our website when you’re done reading this article. One of the things that we strongly advocate is that your biometrics must be stored safely away from the devices that use them and kept securely in your control.  To put this bluntly, storing your biometric identity on smartphones, centralized servers, or cloud-based services is simply not sufficiently secure — read my article “1 Device to Rule Them All, Should You Be Worried?” for more insight into that particular area of concern.

Once your biometrics have been compromised, you can never replace them. So, the next time you are storing your fingerprints on your iPhone or Android smartphone, you might want to reconsider.

Finally, and probably most importantly, generating public awareness of these sorts of cyber security vulnerabilities is critical.  There is always a yin and yang tug of war between companies accepting responsibility for these issues and the inevitable costs of correcting such a large problem. It’s the public and media’s job to help hold the health care industry accountable as well as ensuring our legislatures take appropriate action to safeguard the public.  The unfortunate truth is that it often takes a real catastrophe before anyone sits up and takes notice. Let’s hope we can change that outcome.

If you valued this article and want more, please hit the ‘like’ button and also share via your Twitter, LinkedIn, Google+ and Facebook social media platforms. I encourage you to join the conversation or ask questions so feel free to add a comment on this post.

You can also find me on twitter at @NewFrontierCIO for more commentary on the frontiers of technology, leadership, space exploration, and science.


No comments so far.

Leave a Reply

No comments so far.

Leave a Reply