Hospitals found to be easily hacked; patient identities stolen and medication schedules altered

Sunday, January 10, 2016 by: Jonathan Benson, staff writer
Tags: medical hacking, security flaws, hospitals

---

(NaturalNews) The average health care facility, with all of its supposedly advanced medical devices and automated machinery, is a security nightmare, say hackers familiar with the vulnerabilities of much of modern technology. Lagging behind in security protection by at least a decade, a sizable percentage of hospital medical equipment is easily hackable, these experts warn, posing serious threats to patient protection.

The extent of these vulnerabilities was brought to light several years back when the Mayo Clinic in Minnesota, the world's largest integrated, non-profit medical group practice, hired outside consultants to evaluate the state of its technology. These experts found that everything from intravenous drug drips and imaging equipment, to ventilators and computer monitoring systems, are riddled with security flaws that even a novice hacker could penetrate with relative ease.

One of the Mayo Clinic's assigned consultants, Billy Rios, told the media that what he found during this evaluation shocked him. Practically every system he tested turned out to be fatally flawed, lacking even basic security protections to guard against, say, a mishap with the amount of a drug being dispensed through an IV.

"Every day, it was like every device on the menu got crushed," he told Bloomberg Business. "It was all bad. Really, really bad."

Part of the problem is that many medical devices and systems were developed in such a way that they could be easily networked, much like smartphones and personal computers, but without the same level of firewall protection. This opens up a serious can of worms as far as security is concerned, leaving hospitals vulnerable to attack by hackers with malicious intent.

"Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do," explains Bloomberg Business. "Like the rest of the Internet of Things–devices that range from cars to garden sprinklers–they communicate with servers, and many can be controlled remotely."

Federal regulators know about security flaws in hospital equipment, but refuse to address the problem

Following a year's worth of investigation into a sample medical device he purchased off eBay – a Symbiq infusion pump manufactured by Hospira (now owned by Pfizer) that was found to be easily hacked remotely, allowing third parties to alter the levels of fluids being injected into a patient – Rios submitted his findings to the Department of Homeland Security (DHS). But the response he received was less than satisfactory.

According to his personal account, DHS passed the information onto the Food and Drug Administration (FDA), which in turn passed it back over to Hospira. Several months later, and Rios is still waiting for some kind of response either from the device's manufacturer, or from the government, indicating that an investigation is underway.

"The FDA seems to literally be waiting for someone to be killed before they can say, 'OK, yeah, this is something we need to worry about,'" Rios told Bloomberg Business.

Rios continues, however, to work in the interest of patients, trying to warn whomever will listen that things need to change before something horrific happens. All it would take is one disgruntled hacker to invade a hospital's server system and wreak utter havoc, potentially injuring or killing hundreds or even thousands of patients.

"All their devices are getting compromised, all their systems are getting compromised. All their clinical applications are getting compromised–and no one cares," Rios laments. "It's just ridiculous, right? And anyone who tries to justify that it's OK is not living in this world. They're in a fantasyland."

Sources for this article include:

Bloomberg.com