LAS VEGAS — At a conference here Thursday, security researchers said that hundreds of common medical devices, ranging from X-ray machines to MRIs, have been vulnerable to attack by hackers.
During day one of DefCon, the world’s largest computer hacking conference, researchers Scott Erven and Mark Collao warned that allowing more and more health care products to be connected to the Internet has made it all the easier for attackers to exploit devices with potentially fatal results.
“Medical devices are increasingly accessible due to the nature of health care,” Mr. Erven said. “And as connectivity increases, so does that potential exposure.”
Hackers aren’t necessarily actively exploiting vulnerabilities in software, websites and apparatuses on which the health care industry relies, the team told the DefCon audience.
Instead, they warned, the vast majority of examples they’ve analyzed during the past few years of research has exposed a systematic problem with “security hygiene” that they believed is commonplace across the board.
Even when flaws are discovered in health care applications, the researchers said, new software is routinely rolled out with those same vulnerabilities ready to be exploited.
In other instances, they added, patient data is often transmitted across the web without encryption, allowing eavesdroppers to access and, with the right know-how, edit patient records.
Other products, meanwhile, are shipped from manufacturers to hospitals and clinics across the country with explicit instructions for staffers not to change the default passwords used to control those devices — thus allowing anyone willing to spend a few minutes on Google to have the proper credentials needed to gain full control over gear ranging from nuclear imagining systems to MRIs.
Once an attacker has complete access to a medical device, either physically or remotely, the possible outcomes could range from increasing dosages to altering records.
“A software-driven, connected medical device is a vulnerable, exposed one,” the team said.
The researchers reached out to GE Healthcare last year after gaining access to over 100 different credentials commonly used within the medical devices manufactured by the company, and similarly disclosed the vulnerabilities to ICS-CERT, the cyber emergency response team administered by the Homeland Security Department.
Nevertheless, they cautioned hackers to help realize and remediate other flaws before they can be compromise by someone acting with malicious, or potentially homicidal intent.
“Patient safety is not a spectator sport,” Mr. Erven said. “You as information security people need to reach out to clinical engineering.”
The 23rd annual DefCon conference continues through Sunday.