Medical devices connected to the internet are a great innovation and as such have a great potential. They improve patient care and reduce the costs of medical examination and treatment. On the other hand, most of these devices are relatively easy to hack; therefore, they pose a cyber security risk. If they are compromised, this could have a negative impact on patient care and the overall health care benefits of these devices.
Typická nemocnice má dnes k internetu připojených stovky specializovaných zdravotnických zařízení jako jToday’s typical hospital has hundreds of specialized medical devices connected to the internet such as X-rays, computed tomography, infusion and insulin pumps, and many more. In addition to collecting various data, they are remotely controlled, serviced, and updated.
“These specialized devices are designed primarily for medical use; however, most of them lack basic IT security protection and as such they can easily become an entry point for access to a hospital network,” says Martin Lohnert, a cybersecurity specialist at Soitron.
Since these medical devices use very specific proprietary communication protocols, they are relatively easy to track down when connected to the internet. There are even public lists of these devices.
This makes the attacker’s job so much easier. Firstly, they get acquainted with the situation. Next, they can check the list of potentially communicating medical devices on the internet and choose any one of them. They may also choose to verify the information: with Google Maps they can check the address to see if there is a hospital or other medical facility with the localized medical device. If they visit the facility’s website and use the Street View feature, they can even compare photos to make sure that the information is correct. Using readily available hacking tools, they can then identify which of the facility’s systems are accessible from the internet. “At that moment, the attacker has everything they need,” Lohnert points out. They have identified the target, and they know how to hack into the device.
To communicate with such a device, it is enough for an attacker to know a certain programming code, which can sometimes be as short as thirty lines. They can adapt the code to suit their needs and then use it as they see fit. They get inside the device without ever hitting any protection or having to bypass any security features. They don’t even need to log into the device. “Medical devices often lack any security features, such as a login and password requirement that would protect them against unauthorized entry to the communication interface,” Lohnert explains. This should be taken into account, and adequate security should be provided. Ideally, devices should only communicate with a server within the organization.
If we look at how many medical devices are currently connected to the internet in the Czech Republic, and are thus potentially “ready” to be hacked, we find that there are 96 such devices. More than 80 of them are in Prague. What is alarming is the number of these connected medical devices as well as the knowledge that the trend is on the rise. Instead of securing existing devices through a proper installation, new unsecured devices appear on the internet all the time. And as you can see, they are relatively easy to find so that they can then be exploited.
It is, however, no secret that hospitals are a popular target of ransomware attacks. By infiltrating into a hospital network or a medical database, cybercriminals get access to thousands of personal medical records. This is largely due to insufficient security protection and the growing number of unprotected connected devices. Although there is no documented evidence that hackers could have harmed patients through a medical device as yet, cyber security experts point out that every medical device is hackable. And something needs to be done about these vulnerabilities.
How can you get out of this situation? “By raising cyber security awareness; implementing corporate security strategy in practice; proactively monitoring one’s own ICT environment, risks, and new threats; and finally, preparing for critical situations and being able to respond appropriately,” Lohnert concludes.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.