Daniel Regalado is a hacker, capable of getting into IV pumps and other medical machines.
He can steal your medical records and even shut that equipment off.
Now he’s speaking to reporters around the country to sound the alarm.
Regalado works for a company called Zingbox.
He and his boss are hired by hospitals and other organizations to check their security systems.
“The healthcare is our number one focus right now. And we help those hospitals to secure all of their connected medical devices and systems, and to ensure the entire patient care service quality and integrity,” Zingbox CEO and co-founder Xu Zou said.
We all know hackers can make a killing off of your financial data, often stolen by targeting your credit cards.
But as the I-Team found out, targeting your medical records can be even more valuable.
Hackers do it by tapping into IV machines, heart machines and oxygen devices.
And since all these devices are linked, an attack on one can be an attack on all.
“A stolen patient record has more permanent information and sensitive information about every single person like you and me. It has our name, home address, social security number, complete patient records and some financial information such as credit card information as well,” Zou said.
Regalado demonstrated his most recent and possibly deadly hack to TV5.
He showed how he can hijack the machine from an IV pump, steal the information, change dosages and even turn it off.
It takes Regalado under three minutes to complete and he said the hack isn’t as difficult as it looks.
“You don’t need to be a high-skilled hacker to perform these attacks. You just need to have a basic operating system and programming knowledge. What that means is that you can expose these types of attacks broadly because you don’t need to be a real black hat hacker to perform those types of attacks on the IV pumps,” Regalado said.
The cyber risk is not only at the individual hospital, it’s everywhere, among any doctor or medical facility sharing information with another.
Making matters worse, the federal government currently prevents hospitals from installing virus protection on these devices.
Once a hacker gets their hands on the machine, that means there is nothing between them and you.
Dan Waltz is the chief information officer with MidMichigan Health in Midland.
“These all keep us awake at night," Waltz said.
For 36 years he’s seen firsthand how advances in technology have changed healthcare and highlighted the need for cybersecurity.
“I think everybody in every hospital across the whole country is worried about that," Waltz said.
Four years ago, MidMichigan Health began auditing their systems through third-parties, similar to Zingbox, to come up with strategies against possible “bad actors” also known as black hat hackers.
The results show most attacks are through email phishing and something called denial of service attacks.
“Where people try to bring your network down by just spraying it with tons of transactions so those are probably the most common we’re seeing,” Waltz said.
He gave the I-Team an exclusive look into their IT Department.
He said staff members, including nurses, get extensive training in cybersecurity.
“We actually have some reporting systems we’re setting up to report various malicious emails and things like that, so we’re aware of them when they come in," Waltz said.
Waltz said he is unaware of any attempts by hackers to get into medical machines locally. He hopes the FDA quickly steps up to allow hospitals to install after-market virus protection to all equipment.
“We need to be able to put virus protection on them. But you do have to remember these pumps, these things, are all within our firewall within the organization. So it’s not like they’re just sitting out on the internet open. But we can do more to protect those devices and we’re looking forward to making those changes,” Waltz said.
In the end, hackers are testing the boundaries of security.
“From there, it’s really up to the imagination,” Regalado said.
Copyright 2017 WNEM (Meredith Corporation). All rights reserved.