Hospitals loom large in the public imagination. A general atmosphere of disease combined with the possibility of scientific mistake render most any sick house frightening, possibly even terrifying to many people. Now, there's a new reason to fear: A two-year investigation of a Midwestern health care chain’s information systems has revealed hair-raising flaws that leave its hospitals and pharmacies open to hacker attacks. Worse, the security exploration suggests that many hospitals may have similar vulnerabilities.
Scott Erven, who works as head of information security for Essentia Health, was asked in 2012 to evaluate the safety of medical equipment throughout the large Midwestern company’s operations. His findings, some of which are published in Wired magazine, fall under the general category of kinda-wish-I-never-read-that. Turns out, Essentia and its roughly 100 facilities in Minnesota, North Dakota, Wisconsin, and Idaho — including clinics, hospitals, and pharmacies — is open to any number of hackable breaches.
“We tested every single device in our environment — various radiology stuff and MRIs, ultrasound and mammography systems, cardiology, oncology,” Erven told Wired. “We tested all of our lab systems, surgery robots, fetal monitoring, ventilators, anesthesia.” In fact, Erven and his snooping colleagues discovered that a good hacker might remotely manipulate drug infusion pumps to change the dosage of morphine, say, or chemotherapy siphoned to patients. Or, a computer wizard might easily engineer Bluetooth-enabled defibrillators to deliver random shocks (or no shock at all when needed) to a patient’s heart. Perhaps resetting the temperature on refrigerators might be more of a particular hacker’s style; this would easily ruin blood and/or drugs stored inside them. And of course digital medical records present another welcome opportunity to attackers. Altered by some malicious person, a doctor using the records might prescribe the wrong drugs or misdiagnose a patient. (Consider for a moment the looming federal deadline mandating all medical records go live by October.) Erven even found a willing hacker could remotely crash, restart, or reboot critical equipment at will, essentially wiping out all configuration settings.
“There are very few [devices] that are truly firewalled off from the rest of the organization,” Erven told Wired. “Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.” Embedded web services — the very same capabilities allowing devices to communicate with one another while feeding data to patient medical records — are crucial in terms of vulnerability. “A lot of the web services allow unauthenticated or unencrypted communication between the devices,” Erven explained to Wired. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”
Kudos to Essentia for exposing its flaws to the world and in so doing, encouraging others to investigate hackable breaches. With the help of Erven and other information security experts, their health care information system should soon be transformed and rank among the most protected in the nation. No one ever wants to end up in a hospital, but if so, consider yourself lucky to end up in a bed within Essentia's walls!