Medical Equipment Running Old Software Is Vulnerable To Hackers: Report

A new report suggests millions of medical imaging devices running on outdated operating systems may be subject to cyber security hacking risks.

In a report issued this month, cyber security experts from Check Point Software Technologies detailed how older equipment used in many hospitals, especially medical imaging machines, could be susceptible to outside interference, which could pose a massive financial burden on the company and result in adverse health consequences for patients.

Cyber security specialists from the organization reviewed hacking data from the “WannaCry” ransomware virus, which occurred in May 2017, when cyber attackers targeted thousands of devices from over 150 countries that were linked to the internet and running on outdated Microsoft Windows operating systems. The hackers were able to encrypt the data they illegally obtained, and demanded ransom payments in the untraceable Bitcoin cryptocurrency.

As a result of the ransomware attack, the U.K.’s National Health Service was among the hardest hit by the attack, ultimately costing them over $150 million in lost output, updating information technology costs, and ensuring patient safety.

Due to the importance and time-sensitive nature of medical field data, the financial market for cyber security is a motivator for hackers. Check Point indicates medical records on the dark-market have been seen to go as high as $60 per record.

Researchers identified medical imaging machines running on outdated software, such as Windows 2000 that no longer receive security patches or updates, as the most vulnerable.

Cyberterrorists who are able to gain entry to the hospital network may easily connect to imaging devices running on this outdated software, such as ultrasound devices that monitor pregnancies and other serious medical conditions. With access to this information, attackers can gain personal details, change data, and ultimately alter the doctor’s recommended course of treatment for patients.

As an example, researchers indicate that they were able to remotely hack into an ultrasound device running Windows 2000, and exploit a well-known security gap vulnerability to download the entire database of patient ultrasound images.

What is referred to as The Internet of Medical Things (IoMT) has become increasingly vulnerable over the last decade, as the industry moves towards storing and sharing information over the internet. Some estimate suggest that 87% of healthcare organizations will have adopted IoMT technologies by the end of 2019, putting nearly 650 million devices at risk of cyber hacking if not properly secured.

Benefits of a connected medical network are undeniable, and offer a smarter and quicker transmission of information that can help saves lives, experts say. However, the report highlights the importance for healthcare organizations to properly protect their networks and recognize the vulnerabilities that increase the risk of a data breach.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

On October 1, 2018, FDA Administrator Scott Gottlieb announced a collaborative effort with MITRE Corporation to develop a medical device cybersecurity playbook, which is designed to prepare health care delivery organizations for malicious attacks that could gain control over medical devices used to treat patients.

Although the FDA is not aware of any successful incidents where a medical device was hacked and altered while being used on a patient, previous medical device hacking demonstrations have dated back to 2012, when researchers at a RSA security conference in San Francisco were able to hack an insulin pump from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.