Bloomberg Business: It’s Way Too Easy to Hack the Hospital

A recent report by Bloomberg Business is getting quite a bit of attention… and for very good reason. In “It’s Way Too Easy to Hack the Hospital,” Bloomberg reveals how it’s not as hard as it should be for hackers to crash – or manipulate – equipment and devices in the hospital or office setting. These include not only phones and printers but also magnetic resonance imaging scanners, ultrasounds and ventilators.

The Mayo Clinic explored these weaknesses – and developed new security measures – in recent sessions with a group of hackers it had hired for that exact purpose. According to one of the hackers, hospitals seemed “at least a decade behind the standard security curve,” and he worried: “Sooner or later, hospitals would be hacked, and patients would be hurt.”

So what do you need to know? We’ve reviewed the report (and other articles written about it like “Your Hospital Is More Vulnerable to a Hack Than You Think”) and have some answers to some basic questions:

What’s the concern?
Networked medical devices may utilize standard operating systems and communicate through the Internet alongside smartphones and personal computers. These are susceptible to being hacked, even by something as common as an infected email. And it’s not just devices and equipment that are at risk: personal medical data is vulnerable, as well.

Where’s the vulnerability?
Among the issues are lack of proper security protocols, use of generic passwords common to many medical devices, insufficient or ineffective firewalls and old or outdated operating systems.

How common is it?
It is more common than you may think. Bloomberg cites KPMG survey data from August that indicates “81 percent of health information technology executives said the computer systems at their workplaces had been compromised by a cyberattack within the past two years.

What’s the risk?
In addition to data compromises similar to the security breaches retail chains sometimes suffer, there is the potential for serious harm. For example, a hacker could potentially take control of medical devices or dispense medication (including manipulation of dosages). In some cases, hackers also install “ransomware” on computers and devices to restrict users’ access to their own files. This enables the hackers to demand payment to restore access.

Who’s responsible?
Unfortunately, there’s a lack of oversight and (what seems like) a lack of concern from both medical device makers and hospital administrators. The tendency is for hospital administrators and IT departments to rely on the device manufacturers to maintain security on machines. Manufacturers, in turn, state that the first line of defense is the hospital firewall. As a result, they push back on regulating devices and call for hospitals to improve their network protections.

And what can you do?
While not everyone can invest resources on par with the Mayo Clinic, it does fall on doctors and hospitals to know where they’re vulnerable and – utilizing experts in the field – put in place proper security measures. In order to be proactive instead of reactive, review and test these protocols consistently.