Thousands of medical devices are vulnerable to hacking, security researchers say

The security flaws put patients' health at risk

Next time you go for an MRI scan, remember that the doctor might not be the only one who sees your results.

Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients, security researchers said this week.

The risks arise partly because medical equipment is increasingly connected to the Internet so that data can be fed into electronic patient records systems, said researcher Scott Erven [cq], who presented his findings with fellow researcher Mark Collao [cq] at the DerbyCon security conference.

Besides the privacy concerns, there are safety implications if hackers can alter people's medical records and treatment plans, Erven said.

"As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues," he said.

The researchers located medical devices by searching for terms like "radiology" and "podiatry" in Shodan, a search engine for finding Internet-connected devices.

Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers.

The researchers studied public documentation intended to be used to set up the equipment and found some frighteningly lapse security practices.

The same default passwords were used over and over for different models of a device, and in some cases a manufacturer warned customers that if they changed default passwords they might not be eligible for support. That's apparently because support teams needed the passwords to service the systems.

The researchers focused on equipment from GE Healthcare, but they said they could have picked any company. GE is "one of the more progressive" vendors and responded quickly when the flaws were pointed out, they said.

They built a word cloud showing the most frequently used logins and passwords for GE's products, which looked like this.

word cloud of frequent logins and passwords Scott Erven/Mark Collao

Word cloud showing default logins and passwords that were used frequently in GE medical devices

Evren noted that it doesn't require a malicious hacker for patients' safety to be compromised -- patients can put themselves at risk. He cited a case of two patients in hospital after an accident who hacked their pain medication drips in order to increase the dosage.

"If you're on morphine and you can figure out how to hack your own pump" then medical device security clearly "isn't very good," Evren said.

The devices aren't only vulnerable to hacking online. The researchers accessed the network of one unnamed health provider and found detailed information about more than 68,000 devices, including host names, a description of what the equipment does, its physical location in the hospital and the physicians assigned to it, Collao said.

Someone could easily use that information to craft a phishing attack -- a targeted email that tricks someone into opening a malicious attachment.

To get a sense of how actively hackers are targeting medical devices, Collao set up 10 "honeypots" -- computers that mimicked the appearance of medical systems to lure hackers. They attracted 55 successful logins, 24 exploits -- most using the MS09-067 Windows vulnerability -- and 299 samples of malware.

On the plus side, there was no evidence the hackers had targeted the devices specifically because they looked like medical systems, Collao said, but they're still being targeted.

"Next time you're in a hospital getting hooked up to a machine and you see an Ethernet cable going to the wall, it makes you think twice."

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags hackershealthsecurityndicinehacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

James Niccolai

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?