Security vulnerabilities of medical system seriously threaten patients’safety2016-06-08
Recently, an APP widely used in American medical institutions was exposed to have backdoor that anyone can access to private data of patients (including patients who are or will be undergoing surgery) and modify it as long as they have hard code document, which seriously threatens the safety of all patients.
Current situation of medical system
In recent years, medical industry has become increasingly dependent on the internet in order to seek for more efficient treatment and better medical system. However, this action exposed a serious problem, which is the great number of computers and medical equipment hospital are using have become the target of hackers.
A survey in 2015 showed:
There are 5 billion intelligent connection equipment are in the use globally. This number will rise to 25 billion in five years. A great part of it is medical equipment like pacemaker, drug pump, mobile medical operating platform, family monitoring and private fitness facility. There are over 10 million people using pacemaker, insulin pump, artificial cochlea and other medical equipment just in America.
Some of the medical equipment can only send wireless data like pacemaker. Some others can both send and receive information. Hackers can steal medical data by controlling the medical equipment. It may cause life danger to patients in serious case.
Backdoor of PIMS system
In the past few days, a loophole of medical system was exposed. The problem lied in the perioperative information management system of Medhost. This system aims at assisting clinical team to manage patients’ information in the perioperative period, which actually contains a hidden user name and password. Although the user name and password are kept confidential, once they are obtained by people with no good purpose, it will be the backdoor of this system. All relevant information of patients who have or will undergo surgery is under the threat of being modified.
The loophole is discovered by the CERT security advisor team of Carnegie Mellon University in America. This team is mainly responsible for digging loopholes and solving security problems. CERT has released security announcement against the system with VPIMS as its old name right after the loophole was founded. The company has released patch, which can be used by medical institutions for upgrade to solve the problem.
Users of this APP are normally medical personnel and doctors, who can access to lots of patients’ data. In the official website of Medhost, the company declared that this app can assist analgesists to obtain real time information of critically ill patients and make sure they are in good conditions. It can also access to patients’ medical history, medical examination report and provide detailed data to all clinical doctors of medical institutions at any time.
At present, we don’t know for sure how many medical institutions have been sold with patients’ real time status and medical history or whether it has reached overseas market. But it is said that over 1000 medical institutions are clients of Medhost.
The spokesman of Medhost has not yet responded to this matter up to now.
Frequent medical disasters
Network of American medical system has suffered multiple hacker attack before.
In 2009, there was a data leak of website of Department of Health and Human Services in United States.
In 2011, computer system of Gwinnett Medical Center in Lawrence Weil, Georgia has been paralyzed because of virus. It was closed for 3 days to all non-emergency patients.
In June 2014, server of Department of Public Health in Montana has been attacked by hackers with the influence covering more than a million people.
In August 2014, the second-largest listed hospital group of America, Community Health, was under the attack of hackers. Stolen information included patient’s name, address, date of birth and social security number.
In February 2016, the Hollywood council medical center in LA was attacked by ransom ware. It recovered after paying 17 thousand dollars.
In February 2016, two German hospitals, Lucas Hospital and Klinikum Arnsberg Hospital were attacked by ransom ware.
In May 2016, a key medical equipment of Merge Health Care in America crashed during cardiac surgery due to timely scan of the anti-virus software installed in the PC.
Although it is much less likely for medical industry network to be attacked by hackers than all company networks of financial and military industry, there is a clear tendency that medical industry has become the most vulnerable one in all systems.
The slack attitude of medical industry towards network attack is one of the most important reasons. Computer scientist and technical director of information security society in American Johns Hopkins University, Avi Rubin said that:
“System of medical industry is the system with most loopholes I have ever seen. If financial industry shares the same attitude as medical industry towards network security issues, I suppose no one will dare to trust these institutions with their money.”
With the threat of medical equipment being attacked by hackers become increasingly serious and attack form diverse, medical equipment manufacturer and hospital technical team should pay more attention to network security protection and avoid becoming the target of hackers.