Share this article on:
A security researcher at McAfee (Douglas McKee) has identified a vulnerability in the communications protocol used by patient monitoring equipment. The flaw could be exploited by a threat actor allowing patients’ vital signs to be falsified and sent to central monitoring systems.
Patient monitors record patients’ vital signs and communicate the information to central monitoring systems. The central management systems collect data from many bedside patient monitors, allowing healthcare professionals to monitor multiple patients simultaneously. Information is usually sent over TCP/IP through wired or wireless connections and includes information such as blood pressure, blood oxygen levels, and heart rates. Decisions about treatment are made based on the information provided through those monitoring systems.
Vital signs are integral to clinical decision making. If vital signs are misreported, decisions could be made that could cause patients to come to harm – incorrect doses of medications could be provided, the choice of drug could be influenced by bad data, an incorrect diagnosis could be made, or there could be delays providing medical assistance.
Incorrect data could also lead to patients staying in hospital for far longer than necessary and additional unnecessary tests may be performed, which would come at a cost to the healthcare provider, insurer, or patient.
For the study, McAfee purchased a patient monitor and a central monitoring station on eBay that were manufactured in 2004 and ran Windows XP Embedded. While the devices were old, McAfee confirmed that the monitor and central monitoring station are still in use in several hospitals in the United States.
The researchers were able to create a simple device to emulate vital signs using a Raspberry Pi and conduct a replay attack. The researchers were able to send heart rate data to the central monitoring system indicating a steady heart rate of 80 bpm, when the patient monitor was no longer connected to the system. The researchers were able to do the same with other vital signs. This just involved a short loss in connection, which would likely go unnoticed.
For such an attack to be pulled off, the attacker would need access to the patient to disconnect the patient monitor and plug in the emulation device. The replay attack could allow normal heart rate data to be provided to the central monitoring station when the patient was actually flatlining.
The researchers were also able to devise an attack method that allowed vital signs data to be modified in real time. In this attack, access to the patient was not required. The attacker simply needed to be on the same network. The attacker posed as the central monitoring station, intercepted data from the targeted patient’s monitor, and then falsified the data and sent it to the real central monitoring station. This attack was possible due to a flaw in the Rwhat protocol that is used to send data over wired or Wi-Fi connections. Since data is sent over unencrypted User Datagram Protocol (UDP), data packets can easily spoofed and modified.
Conducting such an attack is not straightforward. Knowledge of the equipment and networking protocol is required, and the attack could only be performed on single or possibly small groups of patients. Some medical knowledge would be required, as the vital signs would need to be believable to a physician. The attack also only caused falsified data to be displayed on the monitoring station – The patient monitor continued to display the correct readings.
Such an attack may be unlikely but could be a threat for certain patients – Those testifying in trials or politicians for example.
If communications between patient monitors and central monitoring stations are encrypted and additional authentication checks are incorporated, such an attack would be much harder to pull off. It is also important for the equipment to be located on isolated networks with very strict access controls to reduce the potential for such an attack to occur.