Medical devices, such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, are vulnerable to cyberattacks if they are not given regular security updates.
Researchers from the Ben-Gurion University of the Negev, Israel, released a paper proving the relative ease of exploiting medical technology which uses out-of-date security software.
This research highlights a potential gap in the cyber security of hospital equipment. There are currently strict regulations which make it difficult to conduct basic updates on medical computers, and installing anti-virus software is not sufficient to prevent cybercrime.
The researchers discovered that while most medical devices have a security weak spot, CT scanners proved to be at the greatest risk of an attack due to their role in acute care imaging.
Successful hackers could block access to medical imaging devices which could have severe consequences for patients in need of quick diagnosis and treatment. The researchers provided the potentially fatal example of hackers adding or removing a dangerous tumour to an image which could then lead to medical mistakes.
Security experts also fear cyber criminals could disable devices altogether and use this a bargaining method during ransom attacks.
Manager of security solutions at electronic design automation company Synopsys, Adam Brown, said: “Medical devices are not only open to cyber-attacks. In a survey Synopsys ran with Ponemon last year, it was found that in 38% of cases where a medical device has been breached, inappropriate health care had been delivered to the patient – and that could be lethal. Medical device vendors really must start to address security in their code. A recent Building Security in Maturity Model report shows that it is still evident that healthcare falls behind other industries when it comes to software security practices.”
Brown added: “Speaking to buyers of this equipment, I have found that they are frustrated; in similarity to speaking to large software vendors, the response they get is woefully similar – a reluctance to change or justification that other large organisations don’t ask for security. I would urge medical device manufacturers to take a long hard look at their software security practices and maturity, as there is a lot of work to do.”
The researchers predict that the number of attacks will increase and more sophisticated skills could be used to hack any outdated hospital computers. They plan to conduct over 20 more simulated attacks to uncover any other vulnerabilities before they create a machine learning algorithm to secure CT devices.
Cyber security in hospitals came under the spotlight when NHS computers were badly affected by the WannaCry ransomware in May 2017.