© 2022 Cincinnati Public Radio
purple_waveback6.png
Connecting You to a World of Ideas
Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations

Did You Know Your Medical Device Could Be Hacked?

MRI.jpg
Ann Thompson
/
WVXU

Internet security experts Scott Erven and Mark Collao focused on MRI scanners, X-ray machines, defibrillators and drug infusion pumps when they tried to find out how easy it is to hack into medical devices.

The smaller devices they bought on eBay, extracted firmware and went to the manufacturers' websites. For larger machines they scoured the web using a search engine for Internet-connected devices called Shodan. It told them what their log-in page would look like and what to do next.

What was so concerning to Erven and Collao was that no matter the device model, the same default passwords were used repeatedly and in some cases the manufacturer warned changing default passwords might void support (because service technicians needed to know the passwords). Erven and Collao built a word cloud with some of the most common passwords.

word_cloud.jpg

It is not uncommon for patients to hack into their own medical devices. Erven cites two cases of people in Austria who increased their morphine dosage by hacking into their own pumps.

In another case, using a health provider network, they found information about 68,000 devices, complete with host names, location and the doctors assigned to them.

They focused on equipment from GE Healthcare, but admitted they could have picked any company. They said GE is one of the more progressive companies and responded quickly when security flaws were pointed out.

GE Healthcare Spokesman Benjamin Fox emailed this statement to WVXU:

"GE is committed to supporting the safe and effective use of its products. Over the lifecycle of its installed base, GE has deployed security management models to accommodate features such as access control, password resets, and other administrative functions, and we continue to evolve our cyber security capabilities.”

But time could be a factor, according to Erven, "Unfortunately there are long development lifecycles. Three to five years is a quick turn-around for a medical device product and when you get into implantibles-10 plus years. So even though they are investing heavily today we may not see the fruits of that labor for 5-10 years."

Callao says it's kind of a catch 22 for manufacturers. 

“You don’t want the first thing for a doctor to be-What’s my user name and password, now I need a log-in, now I can start doing medical procedures.”

He sees the solution as better software development with regular security reviews and for wearable devices: biometrics.

In the meantime, the FDA is trying to bring awareness to this problem and will hold its second medical device security workshop on January 20th and 21st.

With more than 30 years of journalism experience in the Greater Cincinnati market, Ann Thompson brings a wealth of knowledge and expertise to her reporting. She has reported for WKRC, WCKY, WHIO-TV, Metro Networks and CBS/ABC Radio. Her work has been recognized by the Associated Press and the Society of Professional Journalists. In 2019 and 2011 A-P named her “Best Reporter” for large market radio in Ohio. She has won awards from the Association of Women in Communications and the Alliance for Women in Media. Ann reports regularly on science and technology in Focus on Technology.