A research team comprising physicians and computer scientists from the University of California (UC) have demonstrated that hackers can easily modify medical test results by remotely gaining access to the connection between hospital laboratory devices and medical record systems.
Researchers cautioned that hackers may be able to debilitate the country’s medical infrastructure, and they may also target specific high-profile targets such as heads of state and celebrities.
The scientists used a man-in-the-middle attack to intercept and alter data transmitted from a laboratory information system to an electronic medical record system. Dubbed Pestilence, the attack will not be released to the general public as it solely meant for proof-of-concept.
The report says that vulnerabilities arise from the standards used to transfer patient data within hospital networks such as Health Level Seven standards (HL7).
It is claimed that large amounts of patient data are being circulated in an insecure fashion as the standards are implemented on ageing medical equipment by personnel with little or no cybersecurity training.
To create the Pestilence tool, researchers combined their knowledge of computer science and clinicians to identify vulnerabilities and exploit them in the HL7 standard.
UC Davis Medical Center anesthesiology resident Jeffrey Tully said: “As a physician, I aim to educate my colleagues that the implicit trust we place in the technologies and infrastructure we use to care for our patients may be misplaced, and that an awareness of and vigilance for these threat models is critical for the practice of medicine in the 21st century.”
To avoid such attacks, researchers suggested various countermeasures such as enhancing security practices, protecting medical record systems and medical devices using passwords.