Hospitals and Passwords – Three Essentials for Securing Critical Equipment

I would have thought the safest and most-protected computer hardware in the world would be in hospitals. Seriously, if someone could hack an artificial heart, the consequences could be disastrous. Imagine my shock, then, when I read a Wired article about how easy it was to hack medical equipment found in hospitals!

Perhaps I shouldn’t have been so surprised. I found out some time ago that high-tech medical machines often have Wi-Fi or Bluetooth connectivity. They need this for diagnostics, reporting and other functions. That’s why many hospitals don’t allow patients or visitors to use Wi-Fi in at least some areas.

I also read last year an ICS-CERT alert that a significant amount of medical equipment uses hard-coded passwords. That is, the passwords are the same for all devices of the same make and model, and they cannot be changed! Those passwords don’t provide any real security beyond helping to prevent accidental configuration changes. But if an attacker discovered one of those passwords and the device was networkable, the attacker could cause serious damage or death.

There are three essential steps that must be taken in environments where critical equipment exists. While not all are possible in all cases, and other, more traditional security steps must be performed also, these three steps are an important beginning.

  • First, all wireless networks must be secured with strong access control. That generally means a Wi-Fi key that’s difficult to discover and perhaps changed sometimes. There are tutorials on the web that explain how to discover a WPA2 pre-shared key. A serious attacker could use one of these to discover the key in a relatively short time ( a few hours with a good PC, or even more quickly on the web – for a fee) if the password or some portion of it can be discovered in one of the multi-million word dictionaries such as those used by So choose a random long password such as those generated by a password keeping took (e.g. KeePass).
  • Second, use strong device passwords. This clearly isn’t possible when the passwords are hard-coded, but when possible follow the same rules for Wi-Fi passwords and use the generation feature in the password-keeping tool.
  • Third, look for devices and networks with weak passwords. Most organizations don’t even know all the wireless networks on their campuses. When I teach Learning Tree Course 468, System and Network Security Introduction I often demonstrate tools to discover wireless networks. Many participants are surprised when they run them at work and discover unauthorized access points and even private networks set up by employees. Proper auditing of an orgnization’s wireless networks is essential to keeping the overall network secure.

These three essential tasks aren’t everything one needs to do. They are, however, a start to securing networks of equipment in hospitals or anywhere. And they apply, of course, to all networks, whether there is medical hardware or not.

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.