The data stream that transmits human vital signs information from hospital patient monitors to a central hub can be hacked and falsified, according to cybersecurity researchers. This highlights new concerns about medical device vulnerabilities. Using a patient monitor and a compatible central monitoring station purchased from eBay, members of the McAfee Advanced Threat Research team were able to emulate and modify data coming from a patient monitor, including heart rate, oxygen levels and blood pressure.
While the monitor itself was not directly affected, researchers found they could alter the information transmitted to the monitoring station, used by clinicians to oversee multiple patients at once. Altering the data to make it appear that a patient’s heart rhythm had either sped up or slowed down, for example, could prompt physicians to intervene or make medical decisions based on erroneous information. “Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses,” said a senior security researcher for the McAfee Advanced Threat Research. The findings were recently presented at the DEF CON Hacking Conference in Las Vegas.
The cybersecurity team pointed to the American Heart Association’s decision tree, which calls for patients experiencing atrial tachycardia to receive medication. “In the case of a network attack, this is medication the patient does not need and could cause harm,” they added.
While the attack requires more dedication and is riskier than a ransomware attack since it would require a hacker to infiltrate the hospital network, the vulnerability is “not far-fetched" and could have huge consequences said the team. “The type of attack we’re talking about applies to a very specific target,” he said. “Most likely a political figure or celebrity and would take some significant risks to pull off and be a very motivated attacker.”
Even though researchers only tested one device, the team explained saying, “there’s a very, very strong likelihood” the same type of approach would work on other devices that track patient vital signs.
While few attacks on medical devices have been documented, the cybersecurity industry has voiced mounting concern about the potential patient safety consequences. Earlier this year, Abbott issued a firmware update for 350,000 defibrillators with cybersecurity vulnerabilities, months after recalling pacemakers due to a similar issue.
Last week, Medtronic issued a warning about potential vulnerabilities associated with its insulin pumps and a patient monitor associated with implantable cardiac devices.
The McAfee report also highlights an ongoing battle over who is responsible for security medical devices, manufacturers or hospitals. Povolny says vendors are quick to absolve themselves of even basic security protocols like encryption and authentication, arguing that it is up to the healthcare system to fortify its network. But hospitals have been historically slow to implement necessary network protections. “There are pockets of interest [in healthcare],” they said. “Whether or not we’ll see major changes across hospital systems immediately, I’m skeptical of. We just saw how many hospitals still run ancient operating systems and protocols that expose them to WannaCry, Petya and Not-Petya.”
The US Department of Health and Human Services and the Food and Drug Administration is aware of IoT type cyber threats, but as governments move so slowly, lives could be jeopardized. Hopefully a registered nurse would double check the vital signs the old way.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings