Vital Sign Monitors Pose Vulnerability to Hacking
Cybersecurity researchers found in a simulation that heart monitors and other devices that monitor a patient’s vital signs in the hospital are vulnerable to hacking and other cyberthreats, according to a new report.
“Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses,” wrote Douglas McKee, a senior security researcher for McAfee Advanced Threat Research. The findings of the report were presented recently at DEF CON Hacking Conference in Las Vegas, according to an article in Fierce Healthcare.
According to the report, investigators from McAfee purchased from eBay a bedside monitor and central monitoring station just like the ones used by several hospitals. They then simulated the setup typical in hospitals, where vital signs from multiple patients’ bedside monitors can be viewed by doctors and nurses in a centralized hub or monitoring station. Then the investigators found that they could alter the information transmitted to the monitoring station in such a way that they could make it appear that one patient’s heart rate was too high or too low. Depending on the numbers, providers would have to decide to treat that patient with medication.
Although researchers concluded that undertaking such a breach would be risky for a perpetrator to pull off, the fact that it’s even possible means hospitals and device makers should consider strengthening security controls.
“Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack,” investigators wrote. “Vendors can encrypt network traffic between the devices and add authentication. These two steps would drastically increase the difficulty of this type of attack. Vendors also typically recommend that medical equipment is run on a completely isolated network with very strict network access controls. If medical facilities follow these recommendations, attackers would require physical access to the network, greatly helping to reduce the attack surface.”
Click here to read the report in full.