A team of physicians and computer scientists has shown that it is easy to modify medical test results remotely by attacking the connection between hospital laboratory devices and medical record systems. While the vulnerabilities the researchers exploited are not new, this is the first time that a research team has shown how they could be exploited to compromise patient health.
These vulnerabilities arise from the standards used to transfer patient data within hospital networks, known as the Health Level Seven standards, or HL7. Essentially the language that allows all devices and systems in a medical facility to communicate, HL7 was developed in the 1970s and has remained untouched by many of the cybersecurity advances made in the last four decades.
Implementation of the standards on aging medical equipment by personnel with little or no cybersecurity training has led to untold amounts of patient data circulating in an unsecure fashion. Specifically, the data are transmitted as unencrypted plain text on networks that do not require any passwords or other forms of authentication.
The vulnerabilities and methodologies used to create the Pestilence tool have been previously published. The innovation here is combining computer science know-how and clinicians’ knowledge to exploit weaknesses in the HL7 standard to negatively impact the patient care process.
Researchers used what’s called a “man in the middle attack,” where a computer inserts itself between the laboratory machine and the medical records system. Bland, the UC San Diego computer science graduate student, automated the attack so it could tackle large amounts of data remotely. Researchers did not infiltrate an existing hospital system, of course. Instead, they built a testbed comprised of medical laboratory testing devices, computers and servers. This allowed the team to run tests, such as blood and urine analysis, intercept the test results, change them and then send the modified information to a medical records system.
Cybersecurity needs to become part of the FDA approval process for healthcare devices, the researchers said. Manufacturers should be encouraged to adopt the newest and most secure operating systems. For example, today, many medical devices still run on Windows XP, an operating system that was released in 2001 and is no longer supported by Microsoft — meaning that vulnerabilities are not fixed. These devices can’t be easily upgraded as they would need to be taken offline, which would compromise patient care. In addition, some devices are too told to be upgraded.