Thousands of hospitals making simple cyber security error, exposing devices

Drug infusion pumps that can be manipulated from afar, defibrillators than can be programmed to deliver random shocks, refrigerators whose temperature settings can be reset, these are some of the cybersecurity problems uncovered by Scott Erven, the head of information security for healthcare facility operator Essentia Health.

It took Erven's team only half an hour to find another healthcare organization that was exposing information about 68,000 systems, including at least 488 cardiology systems, 332 radiology systems and 32 pacemakers, according to Wired Magazine.

"Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit," Erven told Wired. "We can exploit them with no user interaction… [then] pivot directly at the medical devices that you want to attack."

The problem stems from poorly configured settings on the Server Message Block protocol that allows information like computer IDs to be shared publicly instead of just with select staff. And Erven said thousands of other healthcare organizations around the globe are making the same mistake.

Computer viruses exploiting the information can then be sent to hospitals via spam emails. Worst of all, if the computer ID contains a doctor's name, as it sometimes does, that information can be used to target individual patients, the article says. 

While shocking, news of poor cybersecurity in the med tech and healthcare industries shouldn't be "news" anymore. On June 23, Medtronic ($MDT) said that it, along with two other large medical device manufacturers, discovered an "unauthorized intrusion" to its systems last year that could be traced back to hackers in Asia. The company also disclosed that it lost an unnamed number of patient records from its diabetes unit in a separate incident, but does not know what type of information was included in the records.

The FDA has taken notice and experts say it will soon start rejecting devices that aren't secure. In addition, growing concerns from patients could jolt companies and hospitals into action. A fictional cyber attack on the TV show Homeland and increased media attention have brought the issue to life.

- read the Wired article