Hackers in Hospitals

by Gary Rimar (a.k.a. Piano Guy)

Getting old isn't for wimps.  Falls aren't for wimps either, especially when a fall ends in a broken ankle with torn tendons (first MRI).  After months of not healing all the way, we decided it was time for another MRI, especially since having hit the catastrophic maximum for insurance (it was a bad year) the MRI would not cost me anything.

I didn't normally go to the hospital system that the orthopedic surgeon worked at because they were the most expensive place in town.  Since it was "free" (at least to me), I decided this was a better way forward.  My appointment was on the Saturday after Christmas.

When I went to get into the area, the first thing they did was ask me for a facial recognition scan.  I asked why this was necessary, and they said "To make your name tag, to prove you've checked in."  I told them I was opposed to a facial recognition scan.  They called over a manager, she briefly looked at (did not electronically scan) my driver's license, and they found out that they could make me a badge without doing a facial recognition scan.

Off to the MRI appointment.

If you've ever had an MRI, you know they tell you to leave jewelry at home.  They don't say to leave all other valuables at home (phone, wallet), but at this place they probably should have.  The lockers in every other MRI facility would be easy enough to pick with a pick set, but that assumes someone is carrying their picks and knows what to do.

In this hospital, they use the Kit-Lock KL1000.  Pictures can be seen at www.codelocks.us/kl1000-g3-kitlock-locker-lock.  As I was about to put my phone in this locker, I wondered if there was a bypass combination in case someone forgot their self-set combination.  It took me under a minute to find out that the bypass combination is: 1-1-3-3-5-5-7-7

I could have had everyone else's valuables, but among the reasons that I'd never do that is that when I'm dressed in orange I look like a pumpkin.  Kidding aside, I'm very honest and ethical.  When I did talk to the person who took me back for the MRI, I said "Do you know the combination to get someone back in if they forget theirs?"  She said yes, and it's all over the Internet (she knew this too).  I asked why they used such insecure locks.  Her answer was "Why do you think we tell people not to bring jewelry?"

If you've never had an MRI, they make sure you have absolutely no ferrous metal on or in you, then put you in a tube that has extremely strong magnets and can measure how your body resonates to the strong electromagnetic pulses.  This allows the doctors to assess soft tissue.  Because of the way they assess tissue from every angle (it's a three-dimensional rendition), they slide you through on a table to get every slice, and the mechanisms involved are very loud - you will be given earplugs to protect your hearing.

After the scan, the patient is supposed to pick up a disc with the images on it.  The hospital system also puts the scan on their system, so the disc isn't mandatory, but it is a good idea to get for records and in case the network is down the day of the follow-up appointment.  I asked for the disc at the desk when I was leaving and was told "No, that's at the other end of the hospital."  This is a big hospital complex.  Going to the other end meant getting in the car and driving, or a long walk on a cold day with sleet coming down.  Plus, parking was $7 a pop in each garage.  As I was walking out, I walked past the Women's Imaging Center (they have a separate one for that) and asked if they could validate my parking.  I explained that I had a bad ankle (that's why I was there) and that I didn't feel it was right to have to pay $14 for parking.  I also explained that - even though I was out of the crutches and the boot - I was here for an injured ankle.  She said, "I don't validate parking, but hold on" and she walked away.  Five minutes later I was about to leave in frustration, but she came out of the door she walked through and handed me two parking validation bar codes.  She said, "I can't validate your parking, but they can."

It was very tempting to photograph the bar codes and analyze them.  I could look at the two and figure out the system.  I could have created free parking at the hospital (which is where I was going still for physical therapy) but decided not to.  First, "orange."  Second, more seriously, any time I'd use one of my "free" codes, I would cause someone else the hassle of either having to pay for parking or going back into the hospital to get a better code.  As hackers, just because we can doesn't mean we should.

When I showed up at the other end of the hospital, they said my name badge sticker was defective because it didn't have my face on it, and they asked me to make it again.  I told them no, that I had had this discussion with the manager at the other end of the hospital, and that I was just here to get my MRI disc.  They relented.

I was told where to go, but there was no reception person there.  No one was there except for another patient who was waiting for someone to come out (she was still in the boot and crutches phase).  I was less patient and since doors were open, I started wandering around the back halls of the area until I found an employee.  This was definitely not a place where patients were supposed to go.  When I explained why I was back there, the employee took my name, told me to sit in the chair that happened to be near where I found them, and they said they would bring me my disc in the next 10 to 20 minutes (and they did).

I will be sending this information to the president of the hospital to state that they should get a disc burner at the same end of the hospital as the MRI machine and put real locks on the lockers.  I wanted to give 2600 first crack at this, so I'm writing this now.  And, to not leave people in suspense, the prognosis is that I need to keep doing physical therapy (which I can do at home), and hopefully the atrophied torn tendons will regrow by May, and I'll not have to have surgery.