Sunday, March 27, 2016
Now This Is Pretty Ominous News But I Am Not Sure What We Can Do About It!
This appeared a little while ago:
The security flaws put patients' health at risk
Next time you go for an MRI scan, remember that the doctor might not be the only one who sees your results.
Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients, security researchers said this week.
The risks arise partly because medical equipment is increasingly connected to the Internet so that data can be fed into electronic patient records systems, said researcher Scott Erven [cq], who presented his findings with fellow researcher Mark Collao [cq] at the DerbyCon security conference.
Besides the privacy concerns, there are safety implications if hackers can alter people's medical records and treatment plans, Erven said.
"As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues," he said.
The researchers located medical devices by searching for terms like "radiology" and "podiatry" in Shodan, a search engine for finding Internet-connected devices.
Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers.
The researchers studied public documentation intended to be used to set up the equipment and found some frighteningly lapse security practices.
The same default passwords were used over and over for different models of a device, and in some cases a manufacturer warned customers that if they changed default passwords they might not be eligible for support. That's apparently because support teams needed the passwords to service the systems.
The researchers focused on equipment from GE Healthcare, but they said they could have picked any company. GE is "one of the more progressive" vendors and responded quickly when the flaws were pointed out, they said.
On the plus side, there was no evidence the hackers had targeted the devices specifically because they looked like medical systems, Collao said, but they're still being targeted.
"Next time you're in a hospital getting hooked up to a machine and you see an Ethernet cable going to the wall, it makes you think twice."
Love the last paragraph - but I am not sure just what the patient can do. Clearly it is the equipment manufacturers are the ones who need to save us from all the risks here. A few news stories of things going wrong will be the best tool to foster change and our safety.
Posted by Dr David G More MB PhD at Sunday, March 27, 2016