An ethical hack by an IT security provider of a private health clinic’s IT system has highlighted the vulnerability of internet connected medical devices.

The hackers, from Kaspersky Lab, were able to take control of medical devices and to hack the electronic patient record.

They say that this vulnerability could open the door to cyber criminals not only to lock down sensitive data and demand a ransom to unlock it but also alter it.

Kaspersky Lab Global Research and Analysis Team worked with the unnamed clinic to test the IT security. The research team used the Shodan search engine to identify hundreds of internet-connected devices – including MRI scanners and cardiology equipment.

Some of these devices were working on old operating systems such as Windows XP and had unpatched vulnerabilities. Some even used default passwords that appear in publicly available user manuals.

The team went on to gain access to the clinic’s network by exploiting a vulnerability in the wi-fi connection.

In a statement, the team explained: “Exploring the local clinic’s network, the Kaspersky Lab expert found some medical equipment that was previously found on Shodan.

“This time, however, to get access to the equipment, a password wasn’t required at all because the local network was a trusted network for medical equipment applications and users. This is how a cybercriminal can gain access to a medical device.

“Further exploring the network, the Kaspersky Lab expert discovered a new vulnerability in a medical device application.

“A command shell was implemented in the user’s interface that could give cybercriminals access to personal patient information, including their clinical history and information about medical analysis, as well as their addresses and ID details.

“Moreover, through this vulnerability, the whole device controlled with this application could be compromised. For example, among these devices could be MRI scanners, cardiology equipment, radioactive and surgical equipment.

“Firstly, cybercriminals could alter the way the device works and cause physical damage to the patients. Secondly, they could potentially damage the device itself at immense cost to the hospital.”

David Emm, principal security researcher at Kaspersky Lab, said the hack had highlighted vulnerabilities that could have devastating consequences if exploited by cyber criminals.

He said: “Cyber-criminals can exploit software vulnerabilities to steal patients’ data or infect the network with malware.

“Hackers can also alter the data in the patients’ electronic health records: turn a healthy person into a sick one or vice versa. They can change some test results or dose strength — and that can seriously damage patients’ health.

“It’s also possible to adjust medical devices in the wrong way and thereby break expensive equipment or — once again — hurt the patients who undergo treatment with the help of these machines.”

In the second of his columns for the Digital Health Cyber Security Hub, Davey Winder explores the risks posed by the Internet of Medical Things. Read about the scale of the challenge in features.