Skip to main content
May 5, 2014

Code Blue: Audit Reveals Desperate State Of Medical Device Security

A presentation at Thotcon is just the latest to sound an alarm about the pitiful state of security within hospitals and other medical settings.

The U.S. healthcare system is modernizing by leaps and bounds – largely driven by changes included in The Affordable Care Act and other federal regulation that is driving investment in breakthrough technologies like Electronic Health Records. This is undoubtedly a good thing for patient care. When all the doctors and specialists involved in a patient’s care have prompt access to test results, notes and other key data, diagnoses happen faster and better decisions get made about patient care over the long term. But the drive to bring hospitals and doctors offices into the 21st century is having some unintended consequences, especially in the arena of information security. A story by Kim Zetter over at Wired is calling attention to an audit by Scott Erven of Essentia Health, a network of 100 hospitals, medical clinics and pharmacies in the states of Minnesota, North Dakota, Wisconsin and Idaho. Erven’s two year study found evidence of widespread and exploitable
vulnerabilities in a wide range of equipment used in medical settings. They include vulnerable web interfaces and Bluetooth connections that can be used to reset or alter the operation of critical devices, including drug infusion pumps, defibrillators, X-ray equipment and refrigerators used for storing blood and drugs. Erven presented his findings recently at Thotcon, a Chicago security conference. According to the Wired report, one of the main problems Erven and his team encountered was with embedded web services on medical devices. That kind of feature is often included to give devices on a hospital network the ability to be remotely accessed by medical staff and to share information with management consoles and electronic health records systems. But Erven said that the implementation of the web services was often hackneyed. “A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record,” he said. A malicious actor could alter those records in a way that adversely affected patient health, Erven noted. The problems catalogued by Erven and his team in their two years of research are dispiriting: refrigerators, drug infusion pumps and ICDs (implantable cardiovascular defibrillators) with web-based temperature controls that can be accessed using hard coded (i.e. universal) passwords. Interfaces for CT scanning machines were accessible with only a modest effort that included settings that allow the technician to adjust the level of radiation delivered to the patient. This blog has written about some of the issues confronting medical device makers and their customers. that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care. Hacking medical machinery in hospitals might sound far-fetched, but its not. As this blog noted, the case of serial killer (and nurse) Charles Cullen already shows how a creative sociopath might manipulate sophisticated medical technology to cause harm. And former Vice President Dick Cheney’s acknowledgement that he asked doctors to disable a wireless management feature in his pacemaker shows that – at least at the highest levels of government – the threat of malicious attacks on medical devices is taken seriously. And, in Boston, a Children’s Hospital has fallen victim to serial denial of service attacks that may be attributed to the group Anonymous. In many ways, the vulnerabilities are evidence of the ‘curse of good intentions.’ Greater network connectivity is revolutionizing the way healthcare is delivered. Remotely accessible systems allow doctors to remotely monitor patients who are connected to the devices, allowing fewer staff to do more work. Also, many devices now include features that will automatically alert medical staff by email or text of changes to the patient’s status. Too often, however, the companies responsible for those features fail to imagine the possibility of malicious attacks on their product. Veracode CTO Chris Wysopal has noted that medical devices were designed to be stand alone systems managed by a medical staff that was physically present at the device. In the last 10 years however, those same devices have added remote management features without adequately accounting for the new risks that such features entail. Hospital administrators often assume (wrongly) that the devices can’t be accessed from the Internet or, more common, that because they are only accessible from the hospital network that no additional security is required to make sure an insider doesn’t abuse their access to the network. In June, the Food and Drug Administration issued a call for more scrutiny of medical devices after some high profile software vulnerabilities were disclosed. However, the FDA – which is charged with certifying medical devices – lacks the expertise to audit the security of the software that runs many medical devices.

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.