Researchers stress the importance of preparing hospital and clinical laboratory information systems before a ‘major failure’ occurs

Medical laboratory information systems (LIS) and similar devices are vulnerable to hacking, according to physicians and computer scientists from the University of California San Diego (UCSD) and the University of California Davis (UCD). They recently completed a study that exposed the vulnerabilities of these systems and revealed how clinical laboratory test results can be manipulated and exploited to put patient lives at risk. 

The team of researchers included: Christian Dameff, MD, Clinical Informatics Fellow at UCSD Health; Maxwell Bland, graduate student and researcher at UCSD; Kirill Levchenko, PhD, Associate Professor of Electrical and Computer Engineering at the University of Illinois; and Jeffrey Tully, MD, resident anesthesiologist and security researcher at UC Davis Medical Center.

The team presented their study, “Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives,” at the Black Hat 2018 conference in Las Vegas. During their talk they launched a demonstration cyberattack on a mock medical laboratory information system to illustrate “that it is easy to modify medical test results remotely by attacking the connection between a hospital’s clinical laboratory devices and medical record systems,” a UCSD new release noted.

Clinical laboratories hold large volumes of patient protected health information (PHI) in their electronic health record (EHR) systems. And it’s widely understood that medical laboratory test data comprises as much as 80% of patients’ permanent medical records. Therefore, medical laboratory stakeholders and managers could be held accountable should those medical records and databases be violated by computer hackers.  


Researchers at the University of California San Diego (UCSD) used a man-in-the-middle attack (illustrated above) to intercept and modify data transmitted from a laboratory information system to an electronic medical record system. Clinical laboratories could be held responsible for such intrusion into patients’ protected health information (PHI) should it be determined that adequate safeguards were not implemented. (Caption and image copyrights: UCSD.) 

To demonstrate their findings, the researchers hacked a test system made up of medical laboratory computers, servers, and testing devices. They then performed blood and urinalysis testing, intercepted and altered the normal blood test results to make it appear that the patient suffered from diabetic ketoacidosis (DKA), and then forwarded the modified results to the patient’s electronic medical records.

Such misdiagnoses could lead physicians to prescribe incorrect medicines and procedures that could injure or even kill patients.


“As a physician, I aim to educate my colleagues that the implicit trust we place in the technologies and infrastructure we use to care for our patients may be misplaced, and that an awareness of and vigilance for these threat models is critical for the practice of medicine in the 21st century,” Jeffrey Tully, MD (left), stated in the UCSD news release. Christian Dameff, MD (right), agreed, saying, “We are talking about this because we are trying to secure healthcare devices and infrastructure before medical systems experience a major failure. We need to fix this now.” (Photo copyright: University of Arizona News.)

In their paper, the researchers proposed “three viable strategies to ensure increased security and integrity of data in clinical environments, which we hope will be taken into consideration by the healthcare community:

  • Secure network deployment: network segmentation, VLANs, and firewall controls: This is the most viable option for legacy systems and healthcare providers with budgetary and operational constraints. By restricting the attack surface of vulnerable devices to Ethernet networks inaccessible to outside influence, the potential for attack is largely mitigated. This, however, requires the intervention and trust of an experienced IT professional. When legacy devices that lack security controls exist in the network environment, isolation of these devices into network segments to minimize exposure is key.
  • Proper configuration: In situations where the hospital network cannot be made completely secure through use of network segmentation, the alternative is proper configuration of servers and devices that support encryption. This would mean, for example, ensuring that the interface client, such as Mirth connect, is updated to its most recent version and the communication channels are set up to use encryption.
  • Security conscious protocols and ecosystems: ​Moving forward, device manufacturers, care providers, standards organizations, and policy makers must push to incorporate newer protocols and ecosystems where strong security guarantees are built in, and actively look for these guarantees. One such example is the Fast Healthcare Interoperability Resources (FHIR), a replacement for HL7 which has greater potential for encryption. Without the development of a security conscious culture, healthcare infrastructure will remain vulnerable to malefaction.”

Cyberhacking of patient medical records is a critical issue. According to American Nurse Today, more than 16 million patient records were stolen from US healthcare organizations in 2016. In addition, more than 150 million individuals have had their medical records stolen since 2010. The majority of these thefts were the result of attacks against electronic health records (EHRs).

As security breaches become more prevalent, it’s imperative that medical laboratories and anatomic pathology groups take steps to secure their information systems, testing devices, and patients’ records from cyberhacking. All healthcare providers should familiarize themselves with cybersecurity methods and protocols to defend their systems from remote attacks.

—JP Schlingman

Related Information:

How Unsecured Medical Record Systems and Medical Devices Put Patient Lives at Risk

Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives

UA Med School Hosts Summit on Medical Device Hacking

Cybersecurity and Healthcare Records

MedStar Health Latest Victim in String of ‘Ransomware’ Attacks on Hospitals and Medical Laboratories That Reveal the Vulnerability of Healthcare IT