Many medical institutes in the United States use some type of software to manage their records. It eliminates the use of paper, makes transferring information easier, and provides an easy to access database.
Most would assume that such a system is also very secure. But programmers and physicians from the University of California recently showed that vulnerabilities exist in medical record systems.
Are Medical Records Unsafe?
The group of physicians and computer scientists wanted to show that it is possible to hack the medical records of specific patients. And they did it by targeting the connection between a medical record system and the lab devices at hospitals.
Before anyone is alarmed, the study did not target an actual medical institute. Everything was recreated in a controlled environment so proper testing could be done.
The team created a testbed that had medical lab equipment, testing devices, computers and servers. They were able to run the types of tests that patients would get if they went into the ER for surgery or any other type of emergency.
What they were able to achieve will worry a lot of people. Not only was the team able to get their hands on information that is meant to be confidential, but they were able to change the results.
Stealing and Adjusting Medical Information
The way most hospitals work is that when a patient is put through a test, results are automatically fed into the system. Some machines may still be analogue, which requires a medical assistant or nurse to do the job in real time.
Say a patient comes into the ER and they get a blood test and an EKG. The results are automatically or manually entered into the system. These records can be viewed online, seen by relevant doctors or transferred to a primary care physician.
The team at UC San Diego managed to infiltrate the system by launching a “man in the middle attack.” It is the type of attack where a computer gets in between the lab equipment and the medical records to steal or modify information.
They were able to adjust the blood test results to show different values. While the test results were normal, the hacker was able to make it look as though the patient was suffering from severe diabetes. Such a diagnosis would lead to a nurse giving the patient specific medicine. And the medicine would cause a healthy patient to go into a coma.
Hacks Could Target Important People
While the researchers do not see such a vulnerability as compromising the average patient, there is a worry about how a more important person could be targeted. A celebrity, activist, government official or other important figure could be targeted by hackers, foreign governments or other malicious entities.
Breaches of sensitive data from insurance companies like Allstate, financial services companies like Sambla, and health service providers like Aetna are especially concerning due to the nature of the data exposed.
The danger is not just about medical information being stolen or the patient being incorrectly diagnosed. The worry is that if such a man in the middle attack were done in real time, patients could be mistakenly given medicine that can kill them.