Over 1950 Total Lots Up For Auction at Two Locations - NJ Cleansweep 06/13, NJ 06/14

Spanish SpanishPortuguese Portuguese

Unsecured EHR systems could put lives at risk: report

by Thomas Dworetzky, Contributing Reporter | September 05, 2018
Health IT
Share
A team of University of California doctors and computer scientists have shown that it's a snap to hack medical tests results remotely.

Using a classic “man-in-the-middle” attack, they showed how they broke into the connection between the hospital lab devices and the electronic medical records system using a proof-of-concept tool they dubbed “Pestilence” at the August Black Hat 2018 conference in Las Vegas.

Pestilence will not be released to the public.

"As a physician, I aim to educate my colleagues that the implicit trust we place in the technologies and infrastructure we use to care for our patients may be misplaced, and that an awareness of and vigilance for these threat models is critical for the practice of medicine in the 21st century," said Dr. Jeffrey Tully, an anesthesiology resident at the UC Davis Medical Center and part of the team.

While the style of hacking is not new, it is “innovative” to pair computer and clinical know-how to exploit weaknesses in the HL7 standard for health data transmission to negatively impact the patient care process, the UC Davis and UC San Diego team noted.

Of particular note, said the researchers, is that in today's charged celebrity-obsessed culture, any high-profile patients could be especially at risk, such as heads of state, politicians or movie and TV personalities, they warned.

Such attacks could even be used by a foreign power to cripple the U.S. medical infrastructure – doctors must be able to trust their data when making treatment decisions and be sure it is not corrupted, they warned.

The hooks for their hack reside in the protocols used to transfer patient data in networks – the Health Level Seven standards, or HL7, which lets various devices and databases “talk” to each other.

For example, patient data is basically shipped around networks “in an unsecure fashion,” according to the UC statement, adding that, “specifically, the data are transmitted as unencrypted plain text on networks that do not require any passwords or other forms of authentication.”

The protocol was devised in the 1970s and has not been upgraded to employ the last 40 years of cybersecurity advances.

"Healthcare is distinct from other sectors, in that the manipulation of critical infrastructure has the potential to directly impact human life, whether through direct manipulation of devices themselves or through the networks which connect them," the research team stated in their white paper that accompanied their appearance at the conference.
Sign up for Health IT stories Sign up for Weekly Top stories

You Must Be Logged In To Post A Comment

Sign up for Weekly Top stories

Sign up for Health IT stories

 

classifieds

Health IT Homepage

Diversifying revenue stream using patient payments
Improving standard of Prostate Cancer Diagnosis and Care while increasing MRI revenues
Preventing cyberattacks: Finding the right strategic partner
How virtual assistants are transforming business models
Technology, transparency and the bottom line: Considerations for the specialty benefits ecosystem
The consequences of the hack of Lurie Children’s Hospital
Through Edgility acquisition ABOUT aims for end-to-end AI-driven patient flow
Bayer and Google Cloud to accelerate development of AI-powered radiology applications
GE HealthCare closes MIM Software deal
Teleradiology company and CEO admit to unlawful billing, will pay $3.1 million