Commonly found medical devices, surgical equipment still vulnerable to hackers

O'Fallon, IL (KMOX) - Cyber security experts tell KMOX, many older medical devices remain vulnerable to hackers.  And that makes for some scary scenarios.

"They haven't traditionally been built with security in mind. They were typically built to be stand alone and a lot of them are built on older operating systems," says CEO of O'Fallon, Ill.-based Alpine Security, Christian Espinosa. 

From glucose monitors to surgical equipment, Espinosa says many of the medical devices in use today weren't meant to be networked. 

"Now you have a legacy system that wasn't designed with security in mind that might control life and death functions, which is being connected to a hospital network, which is traditionally unsecure anyway. And that hospital network at some point is connected to the internet. So all these things combined create sort of a recipe for problems really."

KMOX News asked Espinosa to explain just what makes hospitals a greater challenge to secure.  First, he tells us, they offer public access 24-7, which puts them at greater risk of physical threats.

"People could sit there and try to hack into the wireless. People can plug a laptop into a wall jack on an ethernet network jack on the wall so they can try to break in that way," he says. 

Hospitals also allow a lot of network access. 

"Basically if something is connected to the hospital network, the hospital is accepting the risk that that device, that medical device poses to the network. A lot of people don't think about risks with cybersecurity, but any vulnerable device you plug into your overarching network, then you're basically passing that vulnerability onto all the other devices that are on the network," he says.

Espinosa points out, most medical centers have thousands of devices, manufactured by third parties, "the hospital may be able to identify there's a problem with that device, but they're relying on the vendor to come up with a patch in a timely manner and figure out how to fix that device. And during that timeframe, the hospital is often reliant on that device. So they can't take it off the network."

Espinosa says there are not only risks for patient privacy, but also for the integrity of the medical data, and disruption of critical services.

One focus for the cybersecurity firm is medical device testing.  Espinosa says he has seen an increase in manufacturers now seeking testing before their devices hit the market.  One that they've tested is a system used to track the movement of the eye during laser surgery. 

Alpine has also been involved with testing various glucose monitors and other devices that test the blood for bacteria, "and if you can compromise this, you can alter the results. So somebody has something like Sepsis, which you have to treat immediately and it's misdiagnosed or the integrity of the results is compromised that could cause somebody to die." 

That same type of machine is also used to test meat products in the food industry.  With his background in threat simulation, Espinosa says it's not too hard to conceive of scenarios where that could be exploited for a large scale attack.

While there are risks with connected medical devices, Espinosa says the fix is often pretty simple -- using the existing software to block incoming traffic without impacting outbound connections that provide data.

© 2019 KMOX (Entercom). All rights reserved