Could also sell on patient data and temper with results, for example

Ethical hacker has shown it's possible to

Undergoing an operation or procedure is scary enough without having to worry about whether criminals have tampered with medical equipment.

But experts have proved it is possible for hackers to do just that – and the results could prove deadly.

A security firm has managed to 'hack' a hospital in an experiment to prove it is possible to access machines, as well as patient data.

Undergoing an operation or procedure is scary enough without having to worry about whether criminals have tampered with medical equipment. But experts have proved it's possible for hackers to do just that – and the results could prove deadly. A stock image illustrating hacking is shown

It means diagnoses and results could be sold on or even tampered with, leading to potentially harmful treatments.

An expert with the Kaspersky Lab Global Research and Analysis Team (GReAT) conducted field research at a private clinic in an attempt to explore its security weaknesses.

Modern clinics and hospitals contain sophisticated medical devices running on fully functional computers with an operating system and applications installed on them.

Patient information is stored on them enabling doctors to do their jobs and the devices are usually connected to the internet, making them extra vulnerable to hackers.

Because specialist equipment is so expensive and hard to fix, it is unlikely to be replaced regularly, making it a target for extortion and data theft.

The unnamed expert said cyber criminals could use the Shodan search engine to look for specific medical devices connected to the internet, such as MRI scanners and cardiology equipment like defibrillators (stock image) used to save the lives of people who have suffered cardiac arrest

THE RISK OF CYBER ATTACKS TO HOSPITALS While the outcome of cyber-attacks against hospitals and clinics could differ in detail they could all: Allow hackers to access patient data, selling it on or demanding a ransom from an organisation to get the sensitive information back. Enable criminals to falsify results and diagnoses, which could prove dangerous. Let hackers damage medical equipment, which could cause physical damage to patients and incur huge costs for hospitals. Negatively impact the reputation of a hospital or clinic. Advertisement

Recently, criminals have used ransomware attacks against hospitals in the US and Canada, but the expert also warned it is relatively straightforward for hackers to interfere with the functionality of equipment.

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

The unnamed expert said cyber criminals could use the Shodan search engine to look for specific medical devices connected to the internet, such as MRI scanners and cardiology equipment like defibrillators used to save the lives of people who have suffered cardiac arrest.

As some devices are still connected to old operating systems like Windows XP, which have unpatched vulnerabilities, hackers could access them quite easily, Kaspersky said.

They could even use default passwords found in public manuals to access a device's interface and affect the way they work.

Because some devices are still connected to old operating systems like Windows XP (stock image), which have unpatched vulnerabilities, hackers could access them quite easily, Kaspersky said

In the experiment, the expert 'attacked' the clinic's local network by exploiting a vulnerability found in its Wi-Fi connection.

They then found some medical equipment that was listed on Shodan and did not even need to enter a password because the local network was trusted.

WHAT CAN HOSPITALS DO TO PROTECT THEMSELVES FROM HACKERS? Use strong passwords to protect all external connection points

Update IT security policies and develop on time patch management and vulnerability assessments

Protect medical equipment applications in the local network with passwords in case of an unauthorised access to the trusted area;

Protect infrastructure from threats like malware and hacking attacks with a reliable security solution

Backup critical information regularly and keep a backup copy offline Advertisement

Exploring the network, the ethical hacker found a 'command shell' in the device's user interface that allowed them to potentially access patient information.

A cybercriminal could therefore use the same route to snoop on patient's clinical history, medical results and addresses and ID details, which they could sell on or falsify.

But scarily still, the expert said the vulnerability could allow someone to tamper with a device to alter the way it works, potentially causing physical harm or even death.

Sergey Lozhkin, senior researcher at Kaspersky Great Lab said: 'Clinics are no longer only doctors and medical equipment, but IT services too.

'The work of a clinic's internal security services affects the safety of patient data and the functionality of its devices.

'Medical software and equipment engineers put a lot of effort into creating a useful medical device that will save and protect human life, but they sometimes completely forget about protecting it from unauthorised external access.

'When it comes to new technologies, safety issues should be addressed at the first stage of the research and development process.'