Area hospitals are riddled with cybersecurity flaws that could allow attackers to hack into medical devices and harm patients, a team of Baltimore-based researchers has concluded after a two-year investigation.
Hackers at Independent Security Evaluators say they broke into one hospital's systems remotely to take control of several patient monitors, which would let an attacker disable alarms or display false information.
The team says it strolled into one hospital's lobby and used an easily accessible kiosk to commandeer computer systems that track medicine delivery and bloodwork requests — more opportunities for malicious hackers to create mayhem.
Independent Security Evaluators is in the business of selling security services. The firm says it approached and worked with the knowledge and cooperation of a dozen hospitals, including hospitals in the Baltimore and Washington areas, but did not release their names.
The firm said the hospitals declined to be named out of concern that their vulnerabilities would become public. The Baltimore Sun called several hospitals, but none acknowledged working with the firm.
Steve Bono, a founder of Independent Security Evaluators, said the project began with a simple question: "What's the worst thing that can happen?"
"A patient or multiple patients dying is the worst thing that can happen," he said. "It became readily apparent that yes, it's possible."
Hospital trade groups acknowledge cybersecurity challenges. They say they are working with their members to address vulnerabilities.
Jim Reiter, a spokesman for the Maryland Hospital Association, said medical facilities take their responsibility to protect patient data and devices seriously.
"It is unfortunate that there are bad actors who seek to infiltrate information systems from all corners of life, including those of hospitals," he said.
Ashley Thompson, senior vice president for public policy analysis and development of the American Hospital Association, said that "the rise in cyberattacks in all sectors, including health care, is a cause for concern."
"Hospitals and health systems are committed to protecting patients and patient data from wrongdoers," she said. "Hospital leaders are working diligently to predict and respond to existing and emerging threats. "
The findings, summarized in a report published this week, join a growing body of research about the vulnerabilities in medical devices and health care systems.
Cybersecurity weakness were once confined mostly to caches of data. But as more devices are turned into computers and put online — creating what is known as "the Internet of things" — the potential for hackers to wreak havoc in the real world has grown.
Bono and his team concluded that hospitals have focused most of their cybersecurity efforts on protecting private patient records, and not enough on defending computer systems that are hooked up to patients and could be used to cause them harm.
They said hospitals lack staff and money to address the problem.
"It doesn't really shock me that this happens, but it's eye-opening even still," Bono said. "When you walk into a hospital with very little effort and begin compromising systems, it's very disturbing."
In the lobby example, the researchers said, they could have mixed up blood samples or drugs, and an attack on patient monitors could cause "death or serious injury."
The researchers said they demonstrated the final stages of their attacks — the steps that would actually have interfered with patient care — on devices that were not connected to computer networks and under the supervision of hospital staff.
Other investigators have had similar successes breaking into health care systems. Sergey Lozhkin, a hacker at the Russian company Kaspersky Lab, described at a conference this month how he used a hospital's wireless Internet connection to gain access to MRI machines and see patient data.
Independent Security Evaluators concluded that attackers have dozens of potential ways to interfere with patient care. They proposed all kinds of diabolical scenarios: A defibrillator could be disabled. An X-ray machine could be made to blast patients — and anyone nearby — with high levels of radiation.
Researchers, regulators and hospital leaders are trying to come up with fixes.
The Food and Drug Administration has issued warnings about devices shown to be vulnerable to hacking. The agency circulated proposed guidance last month to device manufacturers about improving the cybersecurity of their products.
"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities," FDA official Suzanne Schwartz said in a statement. "Some we can proactively protect against, while others require vigilant monitoring and timely remediation."
Bono said doctors need to be better educated about risks, and IT departments should start thinking about technical solutions.
One approach would be to put devices hooked up to patients on a different network from office computers. But Bono said that even such a seemingly simple fix would be a major undertaking for a hospital.
And keeping devices up to date with the latest patches — which computer security experts recommend for anything connected to the Internet — can be a headache in a hospital with dozens of categories of devices, each serviced by different companies.
There's no evidence that the kind of attack demonstrated by Independent Security Evaluators has been carried out, but health care organizations have become prime targets for hackers.
A hospital in Los Angeles fell victim this month to a so-called ransomware attack. Hackers locked staff out of their own systems and demanded payment in exchange for returning the keys. Hollywood Presbyterian Medical Center ultimately paid the hackers $17,000 worth of the digital currency bitcoin to return its systems to normal.
Officials said patient care was not affected, and the hacker's motivation appears to have been financial. But Bono's team said hackers with terror groups might try to break into medical devices to kill indiscriminately, or a foreign government could break into devices to assassinate a target while he or she was in a hospital.
Researchers have shown how drug-delivery pumps and other devices can be turned into deadly weapons by hackers. The auditing firm PwC reported that almost 40 percent of people it surveyed last year would be wary of going to a hospital associated with a compromised device.
Bono said he is not trying to cause alarm or scare people away from hospitals, but to nudge the health care industry to take action before something goes wrong.
If someone were to be killed by a hacker, he said, "it's going to cause hysteria."