Why medical devices are in dire need of better password protection

Doctors, nurses and other medical practitioners access and assess medical devices daily. Medical devices include anything from MRI machines and X-ray machines to personal medical devices like heart monitors. 

Connected devices such as defibrillators can be hacked causing irreversible damage. (Photo/AF.Mil)

In order to gain access to medical devices, staff members need to enter their personal identification information – usually a username and password.

Manually entering this information into a device each time it’s accessed can be tedious. For that reason, username and passwords are created without the complexity necessary for proper cybersecurity.

If these medical devices are connected to a hospital’s network, insecure passwords can be a major risk.

How cybercrime with medical devices occurs

Medical devices are a backend for hackers.

When hackers attempt to breach networks, they look for any vulnerability possible. Medical devices are an accidental find for many hackers. In most cases, hackers aren’t targeting devices specifically; rather they discover medical devices have what’s needed for easy access to a network.

A six letter password, with no special characters, only takes 20 minutes for a hacker to guess. If there is a medical device with a low-security password, that is connected to the hospital or medical facilities network, that means it can take a hacker 20 minutes to compromise your entire system.

From patient care to compliance mandates, cyber hacks are detrimental.

What happens when medical devices are hacked?

When medical devices are hacked, significant risks follow:

  • Data can be manipulated
  • Viruses can be implemented into the system
  • Patient care can be lost
  • Hospitals can lose money
  • Reputations are at risk

When medical devices are subjected to bad actors, intended operations of devices can be manipulated. For instance, if a hacker accesses common devices like cardiac defibrillators, pacemakers, or infusion pumps, they can alter doses or functions that can ultimately harm, or kill a patient.

WannaCry or Petya ransomware attacks are also dangerous for medical facilities. During these attacks, hackers held medical devices and computers containing important patient data at ransom for around $300 per device. When you factor in that US hospitals currently have between 10 and 15 connected devices per bed, you can see how costly ransomware can be.

One hospital in West Virginia was forced to buy an entirely new fleet of computers because it was less expensive than paying for the ransom. Still, much of their patient data was lost, and hospital operations were halted.

How can you protect your medical devices?

There are plenty of incredibly terrifying scenarios when cybercrime strikes. What can you do to prevent cyber attacks at your medical facility?

At the very least, implement a two-step authentication before personnel can access medical devices. Two-step authentication is an extra layer of security that requires not only a password and username but also a piece of information only the user should know. This means a hacker’s software may be able to crack a password, but it cannot answer a personal question, rendering the device safe for the moment.

Limit access to your network only for personnel who need it. The fewer credentials hackers can pry upon, the smaller the risk your medical facility is in. Can you share an EZPD linked license, with a complex, secure password for medical devices?

Require stronger passwords, and provide the tools for better password security. Enforce password requirements like character count and diversity. Don’t allow common passwords that may be at risk of hacking.

By providing your staff a tool like EZPD you can help your team create strong, virtually untraceable passwords that won’t give them password syndrome.

Learn more about EZPD and how it can be a layer of protection on your medical devices, the keys to your entire hospital network.