Patients’ vital signs could be falsified in cyber attack, study finds
Image credit: Dreamstime
According to a report by the McAfee Labs’ Advanced Threat Research team, hackers could target connected patient-monitoring systems and provide false vital signals to cause confusion and potential danger on hospital wards.
The researchers chose to focus on this patient-monitoring technology, which is crucial for decision making on hospital wards. The researchers consulted with a doctor, who told them that vital signs are “integral to clinical decision making”.
Most patient-monitoring systems have at least two connected components: a bedside monitor and a central monitoring system, which is used by a clinician to observe multiple patients’ vital signs. The researchers purchased samples of both components of models which remain in use in hospitals and an electrocardiogram (ECG) simulator.
The McAfee researchers decided to focus on the communication between the devices as the target of hackers, which could affect all devices on the network. They set up the instruments and observed as it regularly exchanged packets of patient data. This communications protocol – the Rwhat protocol – was weak, relying on encrypted packets of data which can be easily modified.
The researchers discovered that it was possible to emulate the monitors and also to falsify the vital signs transmitted between the bedside monitor and central monitoring station in real time. For an attack to be viable, the hacker would have to be on the same network as the connected monitors and have some knowledge of the networking protocol, as well as knowing, for the latter, how to falsify vitals in a way that would fool an experienced clinician.
Emulating the monitor would allow the attacker to collect real patient data, then forward altered data to the real central monitoring system. This could, the researchers say, prevent medical staff from knowing if help was needed as a patient entered an unstable state, potentially risking their health. It could even make it easier to kidnap patients, they suggested.
Meanwhile, falsifying vital signals in real time could allow hackers to fake a ‘flatline’ event and cause panic on a hospital ward, as the fake signals appear on the central monitoring station. A doctor with whom McAfee consulted warned that this sort of attack could result in confusion and mistaken decision-making by clinicians, with some patients receiving inappropriate medications, getting the wrong diagnosis, or going through additional, expensive tests.
Garrett Sipple, a consultant at Synopsys who was not involved with the research, commented that: “This is another example of recognising the importance of security as it plays a role in maintaining the safety and effectiveness of medical devices. Medical devices often move through long product development cycles that can make them slow to react to new cyber-security threats, especially if cyber security wasn’t even a key consideration in the development process.”
The McAfee researchers revealed their findings at the 2018 DEF CON conference in Las Vegas.