A new report from a Baltimore-based tech security company poses an alarming question. Could hackers take control of hospital computer systems to kill patients? The short answer: yes.
As CEO of Independent Security Evaluators, Stephen Bono is in the business of problem solving. A few years ago, he and his staff brainstormed the worst possible outcome of a cyber attack.
"A person actually being harmed through a cyber attack or dying in a cyber attack would be the worst case scenario," he said. "So then we asked ourselves, 'Well, is that really a feasible situation?' And what we found out was, 'Yes.'"
"Securing Hospitals" is the end product of a two-year study of 12 hospitals across the country, including ones in Baltimore, Towson and Washington, D.C. With the cooperation of the hospitals, ISE's team breached each medical center physically and virtually to identify key weaknesses in their operations.
"Year by year, terrorism gets more technologically savvy and at some point, they're going to start attacking our infrastructure and healthcare is a major part of our infrastructure," Bono said.
While most hospitals' IT security focus is on protecting patient records and privacy, ISE identified potentially deadly vulnerability elsewhere. The team found it was possible to hack into medical devices attached to patients, as well as the systems that monitor patient conditions and care.
"Modifying a medical record to say, change somebody's allergies, change the medicines they are allergic to, change their medical histories to say, maybe there are diabetic or they are not diabetic," he said. "Pretty much across the board, we found similar issues that would always allow us access to these types of systems."
The report also offers solutions, a blueprint that ISE hopes hospitals nationwide will use to tighten up their cyber security. The biggest challenge? Massive underfunding and understaffing for security departments.
"Hopefully, the idea is that people will start to wake up to this issue and start to fix it, before anybody actually does get hurt," Bono said.
He said this can't be fixed overnight. Rather, hospitals have to make cyber security a priority because it's a constant battle against new technology. Just last month, hackers attacked the computer systems of a hospital in Los Angeles. Malware blocked access to patient records until the hospital paid a ransom to the cyber criminals.