Hackers Can Falsify Patient Vitals

Patient vitals

Hackers can falsify patients’ vitals by emulating data sent from medical equipment clients to central monitoring systems, a McAfee security researcher revealed over the weekend at the DEF CON 26 security conference.

The research, available here, takes advantage of a weak communications protocol used by some patient monitoring equipment to send data to a central monitoring station.

Attack possible because of Rwhat protocol

McAfee security researcher Douglas McKee says he was able to reverse engineer this protocol, create a device that emulates patients vitals, and send incorrect information to a central monitoring station.

This attack required physical access to the patient, as the attacker needed to disconnect the patient monitoring client and replace it with his own device that feeds incorrect patient vitals to the central station monitored by medical professionals.

But McKee also devised another method of feeding central monitoring stations without needing to disconnect the patient monitoring client.

A variation of the attack requires the attacker to be on the same network as the patient monitoring client in order to ARP spoof the central monitoring station.

The attacker can pose as the central monitoring station, capture data sent by the actual patient monitoring equipment, and then send falsified patient data to the real central monitoring station.

This second attack scenario works in real-time and is feasible because of the insecure design of the Rwhat protocol used by some medical equipment to send data from patient monitors to central stations via WiFi or wired connections —the protocol relying on simple unencrypted UDP packets sent between the client and server, packets that can be easily spoofed and modified.

Below is a demo that McKee recorded and presented during his DEF CON talk over the weekend. The demo shows the researcher spoofing a heartbeat monitor into sending a flatline signal to a central monitoring station, mimicking a sudden cardiac arrest. Other demos are available here.

Depending on the type of equipment used inside a hospital, the attack can also be used to spoof oxygen level and blood pressure readings as well.

Attack can lead to incorrect diagnosis, prescriptions

During tests, McKee says he was able to make small modifications to data reported back to central monitoring systems. These small modifications, he argues, could lead to doctors reaching a wrong diagnosis or prescribing incorrect medication that may have unwanted side effects.

Furthermore, these types of attacks may also cause patients to be subjected to additional unneeded tests or extended hospital stays. While this may be an inconvenience for some patients, in some countries without national health care plans, this could also incur unnecessary financial expenses, which some patients may not be able to pay.

“Any modifications made to patient data would need to be believable to medical professionals for there to be any impact,” McKee said, while also clarifying that the actual patient monitoring device near the patient’s bed will not be affected by this attack and continue to display actual readings.

But in cases where medical staff take decisions based on the readings received via central monitoring systems —which also provide historical views of past readings— the attack has high chances of fooling medical professionals.

McKee did not reveal the make and model of the medical equipment he used for his tests, as he is still working with the vendor to patch the discovered issues.

Overall, the attack is highly complex, and won’t likely be the subject of mass exploitation attempts, but is a real threat vector for high-value patients, such as politicians, wealthy business people, celebrities, or employees of national intelligence agencies.