Security researchers have exploited notoriously porous hospital networks to gain access to, and tamper with, critical medical equipment in attacks they say could put lives in danger.

In tests, hospital hackers from the Independent Security Evaluators research team popped patient monitors, making them display false readings which could result in medical responses that injure or kill patients.

They say other critical medical equipment could be accessed using the same attacks.

The team examined 12 healthcare facilities, two data centres, a pair of live medical devices, and a couple of web applications open to deeply compromising remote attacks.

The research, led by healthcare head Geoff Gentry, is documented in this paper Securing Hospitals [PDF].

"On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm," the team says in the paper.

"This attack would have been possible against all medical devices ... likely preventing assistance and resulting in the death or serious injury of patients.

"The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome."

They say it is "very clear" that random attacks of that nature are viable.

The 71-page document is the latest, and one of the most comprehensive, research efforts in the field of medical hacking, and paints a bleak picture of the state of security in hospitals, as known to many in the hacking community.

Possibly the first detailed public attack model for patient health care. Image: Independent Security Evaluators

Electronic health records can be stolen through basic cross-site scripting attacks, with a payload targeted at unprivileged nurses or physicians that if executed would grant attackers god-mode admin access.

The perennial lure of USB drives as bait works too. The team dropped 18 sticks around hospitals loaded with malware that executed on nursing stations - terminals which are a gold mine for attackers because they retain harvestable credentials for nurses and physicians who log in.

From a humble USB stick, the hackers say they busted in to hospital drug dispensary service. That work-in-progress could grant the team the ability to manipulate inventory.

"If this medication were then given to a patient, it would likely harm or kill the patient," said the hackers.

For the physical on-site attacker, exposed hardware device ports and open computers operating in patient rooms are nothing less than a candy shop of sweet attack surfaces. Many of these security failures come down to lax or absent business processes.

"The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance," the team said.

"[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective."

Hospital information security is "drastically" underfunded, training flawed at all levels, networks are insecure, and policy and audits largely absent and at best flawed when they do exist.

The facilities had vendor security kit that is not only inappropriate but poorly implemented, the researchers said, and was rife with vulnerabilities, or operating alongside in-house technology peppered with flaws.

This insecurity "fog" makes it hard to pinpoint the root cause or amplifying factor of any given problem.

"We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more," researcher Ted Harrington says. "These vulnerabilities are a result of systemic business failures."

The team offers detailed advice for remediating identified problems.

It comes six months after hospital hacking duo Scott Erven and Mark Collao found thousands of critical medical systems exposed online, including Magnetic Resonance Imaging machines and nuclear medicine devices.

In that work, one "very large" unnamed US healthcare organisation exposed some 68,000 medical systems including 21 from anaesthesia, 488 from cardiology, 67 from nuclear medicine, as well as 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications systems. ®