Return to Blog Listing

A Word of Caution: Protecting Against Medical Device Computer Hacks Cliff Valenti, CHAP Vice President of Information Technology

Even Medical Devices Can Be Hacked

These days you can never be too careful when it comes to protecting wireless devices from malicious attacks.  Even infusion pumps are susceptible to being hijacked by computer hackers.  Once compromised, the hacker can remotely adjust dosages and change settings.  While it is nice to be able to connect a device to a network and control it remotely, sometimes hospitals are not even aware of this threat.  The root cause of the problem is that many infusion pumps come configured with remote administration enabled by default, right out of the box.  These days most manufacturers have changed this practice, disabling remote administration unless an administrator specifically chooses to enable it, then secure it with a unique password.  

The Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump recently fixed a vulnerability where the device had the same default administrator password on all devices.  This made it very easy for hackers to guess the correct password, allowing them to log in and take control of the system.  To make matters worse, devices often try to connect to networks automatically the first time they are turned on.  Companies were made aware of these vulnerability’s back in July, and now that patches are available the details are being made public.  If you have questions or concerns about any of your medical devices please refer to the manufacturer, or visit the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website, where you can find a library of information regarding reported security flaws in medical devices.