Douglas McKee, a security researcher at McAfee, discovered a flaw in the communications protocol used to send data from patient monitors to central monitoring stations. A threat actor could exploit the vulnerability to falsify patients’ vital signs and forward them to the central monitoring system.
Patient monitors document patients’ vital signs and pass the data on to a central monitoring station. The central monitoring station displays the data from bedside patient monitors of many patients, allowing a healthcare professional to monitor the vital signs of many patients at the same time. The data is normally delivered over TCP/IP via wired or wireless connections. The information collected by patient monitors includes blood oxygen levels, blood pressure and heart rate data. Doctors use the system to make treatment decisions.
If the data displayed on the patient monitoring system is incorrect, decisions may be made that could cause patients harm. A physician may decide to administer drugs that are not necessary, incorrect diagnoses may be made, or patients requiring urgent medical assistance may not get the life-saving medications they need. Financial harm may occur, such as when hospital stays are extended or unnecessary tests are performed.
For the research, McAfee bought a patient monitor with a central monitoring station on eBay. The equipment was old, although the same models were still in use in many U.S. hospitals. The devices were running the unsupported OS, Windows XP Embedded. Vulnerabilities were likely present in the OS that could have been exploited, although McAfee concentrated on the communications protocol used to send data between the two devices.
The researchers built a simple device that could performed a replay attack – Data was recorded and replayed. The researchers showed how such an attack could be used to display a constant heart rate when the monitor had been disconnected. The same method could be used to misreport other vital signs. The only sign that something was amiss would be a brief loss of connection while the patient monitor was disconnected and the emulation device was connected. The blip would most likely not be noticed. This attack would require the attacker to gain access to the patient to detach the patient monitor and connect the emulation device.
The researchers likewise managed to develop an attack strategy that allowed them to change vital signs information in real time. With this attack, there is no need to be close to the patient. The attacker just needs to be on the same network. This method involved impersonation of the central monitoring station to intercept vital signs data. The information was then falsified and sent on to the real monitoring station. This attack was possible due to the transmission of data using unencrypted User Datagram Protocol (UDP), which allowed data packets to be intercepted and altered.
Executing such an attack isn’t easy. Understanding of the devices and networking protocol is necessary, however it is possible and it could be used to attack specific patients such as politicians or trial witnesses. Some medical knowledge would be required to ensure the falsified vitals signs would fool a physician.
To make it harder for an attack like this to be conducted, data should be encrypted in transit and more robust authentication is necessary. Healthcare organizations can further improve security by ensuring patient monitors and central monitoring stations are on an isolated network, and access to that network is strictly controlled.