This article is more than 1 year old

Medical device vuln allows hackers to falsify patients' vitals

McAfee: Patient monitoring systems open to hack attacks

Hackers may be able to falsify patient vitals by messing with the traffic on hospital networks.

Research from McAfee shows it’s possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and a central monitoring station.

Most patient monitoring systems comprise a minimum of two basic components: a central monitoring station connected over wired or wireless networks to multiple bedside monitors.

Researchers at McAfee bought both a patient monitor and a compatible central monitoring station from eBay. The patient monitor checked heartbeat, oxygen levels, and blood pressure. It had both wired and wireless networking and appeared to store patient information. The central monitoring station ran Windows XP Embedded, with two Ethernet ports. It ran in a limited kiosk mode at start-up.

Both units were made around 2004 but several local hospitals confirmed the models were still in use.

Hacking either or both devices or the apps they run might be possible but the researchers chose to concentrate on cracking the network communications first.

The next stage of the research relied in part on the purchase of an electrocardiogram (ECG) simulator, bought from eBay for $100, as well as the analysis of data sent over the network using Wireshark.

Medical monitor hack test rig [source: McAfee blog post]

Medical monitor hack

The researchers discovered the patient monitor and central monitoring station were speaking over unencrypted UDP using a payload containing counters and patient information. A handshake between the two devices is needed but this can be faked, clearing the way towards a replay attack.

Using this emulation as a springboard the MCAfee duo discovered it was possible to modify a patient’s vitals being transmitted over the network in real time. It was possible to spoof a "patient's heartbeat output" to simulate a flatline event.

This attack does not affect the output as seen on a bedside monitor, it only works locally and need to be "believable to medical professionals for there to be any impact," McAfee's researchers pointed out. Nonetheless the potential for mischief is still there.

"Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays — any of which could incur unnecessary expenses," the researchers warned.

McAfee released its findings at the DEF CON hacking conference in Las Vegas last weekend.

The research highlighted a weakness in the RWHAT protocol used by IoT medical devices to monitor a patient’s condition and vitals. If a hacker exploits this vulnerability, they can provide false information to medical personnel in real-time. Lack of authentication also allows rogue devices to be placed onto the medical network and mimic patient monitors.

Vendors can encrypt network traffic between the devices and add authentication as countermeasures against potential mischief.

McAfee reported its research to the (unnamed patient monitoring systems) vendor whose products it tested. McAfee said it will continue to work with other vendors to help secure their products. ®

More about

More about

More about


Send us news

Other stories you might like