But an eye-opening new report from Independent Security Evaluators now says that malicious hackers have the capability to kill patients by taking over computer systems that track delivery of medicine or manage requests for blood work.
Fortunately a patient death has never been caused by a cyber criminal, but the report seems to be a wakeup call for the healthcare industry, which has so far been ill-prepared to deal with "very real" threats to patients' lives, according to ISE founder Steve Bono.
Using an "adversary-centric perspective" to security, the Baltimore-based ISE, backed by an advisory board of healthcare and information security experts, assessed 14 healthcare facilities and data centers in various states, along with medical device and healthcare websites over a two-year period. The firm ultimately concluded that "patient health remains extremely vulnerable."
The report argues that hospitals are focused on the wrong mission - securing patient records - while ignoring advanced threats that leave patients truly vulnerable. "There is no question that this is an important factor in protecting patients' interests," the report says, while adding that "patient health is the more serious concern and has been overlooked far too long."
Researchers found a number of nightmare scenarios that could occur, mostly as a result of a hacker manipulating systems to report false information.
Doctors could perform emergency procedures after reading incorrect readings from a compromised heart monitor, or a device could be taken offline completely so a nurse would not notice when a patient is under duress. And medicine delivery systems could be hacked to deliver the wrong or too much medicine to a patient.
The scenarios are not just theoretical, the report demonstrates, which follows others' research findings of vulnerabilities in a popular drug infusion pump, and another two-year study of the issue, which led Wired Magazine to conclude "it's insanely easy to hack hospital equipment."
The ISE team details how it pulled off these attacks in its report. In one example, the team hacks into a hospital web server and finds numerous patient monitors connected to the network, which gives them the ability to sound false alarms, display the wrong vitals, or disable the device completely. This attack would have likely prevented assistance to patients, "resulting in death or serious injury," the report says.
In another attack, ISE researchers walked into a hospital and accessed a vendor kiosk in the lobby, quickly using it to gain access to the hospital network. "Our team was able to identify numerous mobile computer stations (i.e. the mobile stations found in most emergency and hospital rooms)," the report says, "of which one was readily exploitable."
The report wasn't all doom and gloom, however. ISE included a detailed blueprint for healthcare administrators to follow, which included recommendations for basic network security audits, upgrades to computer systems, and beefing up physical security protocols inside facilities.
"There were often no security measures employed for detecting wither rogue or malicious devices had been connected to the network," the report says. "Meaning an adversary could simply walk up and plug in to the network in order to gain access."
In its conclusion, ISE urged hospitals to address the "advanced threats" it identified, which were far worse than hackers potentially getting medical records.
"A patient or multiple patients dying is the worst thing that can happen," Bono told The Baltimore Sun. "It became readily apparent that yes, it's possible."