Hacking the Hospital: Medical Devices Have Terrible Default Security

 Screen Shot 2014-04-29 at 10.28.40 AM

Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago’s Thotcon, “Just What The Doctor Ordered?” is a terrifying tour through the disastrous state of medical device security.

Wired’s Kim Zetter summarizes Erven’s research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords.

For example: Surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks — or to withhold them when needed.

Doctors’ instructions to administer therapies can be intercepted and replayed, adding them to other patients’ records.

You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee’s laptop with a trojan, you can roam free.

You can change CT scanner parameters and cause them to over-irradiate patients.

Some of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.

With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.

Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.

That’s not the case with implantable defibrillators, however, which could be targeted.

“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”

The one bright spot is that anaesthesia and ventilators are not generally networked and are more secure.

Cory Doctorow (@doctorow) is a science fiction author, activist, journalist and blogger — the co-editor of Boing Boing (boingboing.net) and the author of the bestselling Tor Teen/HarperCollins UK novel Little Brother. His latest young adult novel is Homeland, his latest novel for adults is Rapture of the Nerds. This post appeared in boingboing.net on April 27, 2014. 

3 replies »

  1. Sounds like a new business model is born – white hat risk assessment

    Anybody out there doing that already?


  2. Essentia Health should be applauded for taking such a bold step. To have been a fly in the wall for that conversation. Would love to hear from them here.