Researchers from cybersecurity company McAfee found a way to modify patients' heart rate data displayed on a central monitoring station, which they detailed in an Aug. 11 report.
The researchers purchased a bedside monitor — which tracks a patient's vital signs, including heartbeat, oxygen level and blood pressure — and a compatible central monitoring station, which physicians use to observe data from multiple patients' bedside monitors. Both monitors were produced in the mid-2000s.
The researchers were able to intervene in the space where the bedside monitor communicates with the central monitoring station by using a third device — an electrocardiogram simulator — to change a patient's heartbeat data as it's displayed on the central monitoring station. They noted an attack would only work if the hacker was on the same network as the devices.
Shaun Nordeck, MD, a physician the researchers spoke with for the report, noted that medical professionals use central monitoring stations to make critical decisions. If a hacker induces a believable change to a patient's data, a physician may opt not to verify it on their bedside monitor — and this discrepancy could lead to a patient receiving the wrong medications or an extended hospital stay.
"Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing and side effects from medications prescribed to control heart rhythm and/or prevent clots," Dr. Nordeck said. "The hospital could also suffer resource consumption."
The researchers reported their findings to the vendor whose products they tested. However, the report did not disclose the name of the vendor.
The researchers suggested product vendors across the board encrypt network traffic between devices and add authentication features to make it more difficult for a hacker to execute this type of attack. Healthcare facilities should run medical equipment on an isolated network with strict access controls, the researchers added.
To read McAfee's report, click here.