A team of physicians and computer scientists at the University of California has shown that it is easy to modify medical test results remotely by attacking the connection between hospital laboratory devices and medical record systems. Such attacks could be used by a nation-state to cripple the United States’ medical infrastructure, study officials say.

The researchers from UC San Diego and UC Davis detailed their findings at the recent Black Hat 2018 conference in Las Vegas, where they staged a demonstration of the attack. Dubbed Pestilence, the attack is solely proof-of-concept and will not be released to the general public. While the vulnerabilities the researchers exploited are not new, this is the first time that a research team has shown how they could be exploited to compromise patient health.

These vulnerabilities arise from the standards used to transfer patient data within hospital networks, known as the Health Level Seven standards, or HL7. Essentially, the language that allows all devices and systems in a medical facility to communicate, HL7 was developed in the 1970s and has remained untouched by many of the cybersecurity advances made in the last four decades.

Implementation of the standards on aging medical equipment by personnel with little or no cybersecurity training has led to untold amounts of patient data circulating in an un-secure fashion. Specifically, the data are transmitted as unencrypted plain text on networks that do not require any passwords or other forms of authentication.

Data hacking in hospitals has been in the news in recent years. But researchers want to draw attention to how that data, once compromised, could be manipulated. “Healthcare is distinct from other sectors in that the manipulation of critical infrastructure has the potential to directly impact human life, whether through direct manipulation of devices themselves or through the networks which connect them,” the researchers wrote.

The vulnerabilities and methodologies used to create the Pestilence tool have been previously published. The innovation here is combining computer science know-how and clinicians’ knowledge to exploit weaknesses in the HL7 standard to negatively impact the patient care process.

The team includes Christian Dameff, MD, an emergency physician and clinical informatics fellow, and Maxwell Bland, a master’s student in computer science, both at UC San Diego, and Jeffrey Tully, MD, an anesthesiology resident at the UC Davis Medical Center. Physicians need to be able to trust that their data are accurate, Tully says. “As a physician, I aim to educate my colleagues that the implicit trust we place in the technologies and infrastructure we use to care for our patients may be misplaced, and that an awareness of and vigilance for these threat models is critical for the practice of medicine in the 21st century,” he says.

Securing data against manipulation is imperative. “We are talking about this because we are trying to secure healthcare devices and infrastructure before medical systems experience a major failure,” Dameff says. “We need to fix this now.”