Reports have surfaced detailing that hackers can falsify patients’ vitals by emulating data sent from medical equipment clients to central monitoring systems. The research, available here, takes advantage of a weak communications protocol used by some patient monitoring equipment to send data to a central monitoring station. The protocol is used in some of the most critical systems in hospitals, according to McAfee researchers. Even more concerning, McAfee was able to modify the vital sign data in real time, providing false information to medical personnel to make it look like a patient was flatlining. They were able to switch the display of a patient’s heartbeat from 80 beats a second to zero within five seconds.
Garrett Sipple, Managing Consultant at Synopsys:
“This is another example of recognising the importance of security as it plays a role in maintaining the safety and effectiveness of medical devices. Medical devices often move through long product development cycles that can make them slow to react to new cybersecurity threats, especially if cybersecurity wasn’t even a key consideration in the development process.
Cyber-attacks aren’t the only side effect to consider when it comes to medical device security. In a survey Synopsys ran with Ponemon last spring, it was found that in 38% of cases where a medical device had been breached, inappropriate health care had been delivered to the patient – and that could be lethal.
One of the prevalent themes we’re noticing is the critical role that systems must play in the healthcare sector, because there is shared responsibility among regulators, manufacturers, healthcare providers, and patients. While software security has been discussed for many years, fewer people are talking about systems security and integrating security into systems engineering. The healthcare industry must solve this problem at the system-of-systems level, as well as for individual products like MRI machines and patient monitors.
Well known technical activities such as static code analysis are important, but so are non-technical elements like risk management processes and program-level prioritisation of resources based on identified risk.”