When it comes to medical devices, there is no question that Internet connectivity can help save lives. But, there’s also a real and significant danger that it might compromise them as well.

Connecting devices that have previously stood alone – pacemakers, drug delivery pumps, x-rays, MRI’s, and infusion pumps – to the Internet and each other ought to facilitate seamless and better-informed healthcare delivery, improve patient outcomes, and increase hospital efficiency. But – abetted by users’ tendencies to employ default and/or manufacturer-supplied passwords – connectivity also opens the doors to hacking quite literarily putting patients’ health, and lives, at stake.

In Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software – one in an ongoing series of FDA “guidance” documents providing suggestions and recommendations on critical issue, but lacking the force of law or regulation – the agency’s Center for Devices and Radiological Health identified networked medical devices employing off the shelf (OTS) software as prime hacker targets.

While, to date, no major attack on these devices has been reported, medical devices remain both functionally unprotected against cyber-terrorists and highly attractive to black marketers. Hackers can easily exploit outdated OTS software and poor password protection on connected equipment to access a mainframe and then steal patient medical records including names, birth dates, addresses, and social security numbers.

The healthcare sector had largely managed to stay ahead of the hackers, keeping valuable patient medical records secure.  But all that changed in February 2015, when Anthem Inc., the nation’s second largest health insurance provider, announced it had been the victim of a direct cyber-attack causing a data breach that compromised almost 80 million patient records.

Hacked equipment puts more than just personal information at risk.  As James Niccolai reported, at one hospital, two patients  were able to hack into their infusion pumps to increase their morphine drip.  Another patient accessed every drug in a dispensary using a hardcoded password.  Perhaps more worrisome, once hacked, potentially life-saving medical equipment can be used to harm patients.  “White Hat” hackers, who test security systems for clients, have been able to manipulate insulin pumps, pacemakers and infusion pumps to deliver lethal events to their users.  Although no documented cases of this have occurred, cyber security experts worry it is only a matter of time.

Healthcare institutions are implementing techniques borrowed from high security government agencies to protect themselves. But for every patch and workaround there is a hacker out there looking for a new challenge. Device protection remains, quite simply, a matter of life or death.


Call or click today to find out how Keui’s Cyber experts can help you face these and other challenges in 2016 and beyond.