I would have thought the safest and most-protected computer hardware in the world would be in hospitals. Seriously, if someone could hack an artificial heart, the consequences could be disastrous. Imagine my shock, then, when I read a Wired article about how easy it was to hack medical equipment found in hospitals!
Perhaps I shouldn’t have been so surprised. I found out some time ago that high-tech medical machines often have Wi-Fi or Bluetooth connectivity. They need this for diagnostics, reporting and other functions. That’s why many hospitals don’t allow patients or visitors to use Wi-Fi in at least some areas.
I also read last year an ICS-CERT alert that a significant amount of medical equipment uses hard-coded passwords. That is, the passwords are the same for all devices of the same make and model, and they cannot be changed! Those passwords don’t provide any real security beyond helping to prevent accidental configuration changes. But if an attacker discovered one of those passwords and the device was networkable, the attacker could cause serious damage or death.
There are three essential steps that must be taken in environments where critical equipment exists. While not all are possible in all cases, and other, more traditional security steps must be performed also, these three steps are an important beginning.
These three essential tasks aren’t everything one needs to do. They are, however, a start to securing networks of equipment in hospitals or anywhere. And they apply, of course, to all networks, whether there is medical hardware or not.
To your safe computing,