While giving a talk at the Security Analyst Summit 2016, Sergey Lozhkin, a security researcher for Kaspersky, told how he was able to hack a hospital while sitting in his car outside the building.
Talking about the risks associated with a hospital hack, we’ve got an endless list on our plate. A cybercriminal can alter the patients’ electronic health records and turn a healthy person into a sick one. Changing the settings of the medical equipment also brings along a scary scenario.
Well, it was just a test and the hospital management gave the permission to test the computer network. This experiment was started to highlight the security risks the unprotected medical equipment pose. He got the inspiration to do so when he stumbled upon such equipment online through Shodan.
After finding that many of those devices belonged to the local hospital, Sergey contacted the hospital administration and brought the issue to the hospital management’s attention.
During the process, he discovered that due to the basic firewalls, he was unable to access any equipment via remote connection. Next, he aimed to crack hospital’s network by sitting in his car near to the actual building. Fortunately, he was close enough to reach the building’s WiFi.
Kaspersky's Sergey Lozhkin sat in car with laptop outside hospital & got control access to devices & patient records pic.twitter.com/VU373QrsJS— Sam Gad Jones (@samgadjones) February 9, 2016
Then he managed to reach a tomographic scanner that allowed him to access the patient’s records. “There are two groups of people who need to be alarmed by this question, more specifically — the developers of medical equipment and the hospital management boards,” the Kaspersky team notes in a blog post.
It’s inevitable to avoid injuries and doctors — so we are bound to put our trust into the high-tech medical devices used in the hospitals. This experiment shows the appalling condition of the Internet-connected devices that are just accidents waiting to happen. It’s a responsibility of the hardware and software developers to ensure the security of these devices who are constantly talking to the Internet without following proper security protocols.