Hackers at Independent Security Evaluators broke into one hospital's systems remotely to take control of several patient monitors, which would let an attacker disable alarms or display false information.
The team strolled into one hospital's lobby and used an easily accessible kiosk to commandeer computer systems that track medicine delivery and bloodwork requests — more opportunities for malicious hackers to create mayhem.
The firm worked with the knowledge and cooperation of a dozen hospitals, including hospitals in Baltimore, Towson and Washington. They did not release the names of the hospitals.
Steve Bono, one of the company's founders, said the project began with a simple question: "What's the worst thing that can happen?"
"A patient or multiple patients dying is the worst thing that can happen," he said. "It became readily apparent that yes, it's possible."
The findings, summarized in a report published this week, join a growing body of research about the vulnerabilities in medical devices and health care systems.
Cybersecurity weakness were once confined mostly to caches of data. But as more and more devices are turned into computers and put online — creating what is known as "the Internet of things" — the potential for hackers to wreak havoc in the real world has grown.
Bono and his team concluded that hospitals have focused most of their cybersecurity efforts on protecting private patient records, and not enough on defending computer systems that are hooked up to patients and could be used to cause them harm.
©2016 The Baltimore Sun Distributed by Tribune Content Agency, LLC.
