Hackers are using Internet-connected medical devices to attack hospital databases, according to a cybersecurity company report.

Nancy Crotti

"It's Insanely Easy to Hack Hospital Equipment," proclaimed a Wired article last year.

Turns out they were right. Hospitals and other healthcare institutions may have already been hacked through their medical devices without knowing it, according to a report by TrapX, which recreated three such attacks to learn how they work.

Medical devices on a network represent the "easiest and most vulnerable points of entry" to a healthcare organization's databases, which include valuable health insurance information, said TrapX co-founder Moshe Ben Simon in the report.

The demand for medical data among hackers is growing, and millions of records from insurance companies like CareFirst and Blue Cross have been breached in recent months.

TrapX said it found extensive compromise of x-ray equipment, picture archive and communications systems (PACS), and blood-gas analyzers. It also identified diagnostic equipment such as PET scanners, CT scanners, and MRI machines; therapeutic equipment, such as infusion pumps, medical lasers, and LASIK machines; and life support equipment as vulnerable to attack.

Medical devices cannot detect most of the malware delivered by a cyberattack, nor can standard hospital cyber-security systems access the internal software operations of the medical devices, according to Carl Wright, executive vice president and general manager of TrapX Security.

"For all of these reasons MEDJACK is very difficult to prevent, detect and remediate," Wright said in the report.

In complex cases, cyber security experts will need medtech companies' "considerable support" for access to devices' internal memory to identify malware and prevent future attacks, the company said. Standard support agreements between hospitals and medtech manufacturers may not address cyberattacks that extend to hospital networks.

"We have observed that in some cases, the medical device manufacturer technicians are not trained or skilled sufficiently to handle complex security issues within an installed unit and prefer to instead replace the unit," the report said.

The FDA has issued guidance for OEMs developing and building medical devices, recommending that device manufacturers: