Did You Know Your Medical Device Could Be Hacked?

Jan 11, 2016

Internet security experts Scott Erven and Mark Collao focused on MRI scanners, X-ray machines, defibrillators and drug infusion pumps when they tried to find out how easy it is to hack into medical devices.

The smaller devices they bought on eBay, extracted firmware and went to the manufacturers' websites. For larger machines they scoured the web using a search engine for Internet-connected devices called Shodan. It told them what their log-in page would look like and what to do next.

What was so concerning to Erven and Collao was that no matter the device model, the same default passwords were used repeatedly and in some cases the manufacturer warned changing default passwords might void support (because service technicians needed to know the passwords). Erven and Collao built a word cloud with some of the most common passwords.

It is not uncommon for patients to hack into their own medical devices. Erven cites two cases of people in Austria who increased their morphine dosage by hacking into their own pumps.

In another case, using a health provider network, they found information about 68,000 devices, complete with host names, location and the doctors assigned to them.

They focused on equipment from GE Healthcare, but admitted they could have picked any company. They said GE is one of the more progressive companies and responded quickly when security flaws were pointed out.

GE Healthcare Spokesman Benjamin Fox emailed this statement to WVXU:

"GE is committed to supporting the safe and effective use of its products. Over the lifecycle of its installed base, GE has deployed security management models to accommodate features such as access control, password resets, and other administrative functions, and we continue to evolve our cyber security capabilities.”

But time could be a factor, according to Erven, "Unfortunately there are long development lifecycles. Three to five years is a quick turn-around for a medical device product and when you get into implantibles-10 plus years. So even though they are investing heavily today we may not see the fruits of that labor for 5-10 years."

Callao says it's kind of a catch 22 for manufacturers. 

“You don’t want the first thing for a doctor to be-What’s my user name and password, now I need a log-in, now I can start doing medical procedures.”

He sees the solution as better software development with regular security reviews and for wearable devices: biometrics.

In the meantime, the FDA is trying to bring awareness to this problem and will hold its second medical device security workshop on January 20th and 21st.