HACKER’S TAKE AIM AT LIFE SAVING MEDICAL DEVICES:

If you thought hacking didn’t happen to medical devices, then think again. Even back when Vice President Dick Cheney had a pacemaker put in, his security team made sure the wireless capability was turned off so there were no security risks. But that’s just the tip of the iceberg.

Consider the case of Illinois based, Hospira Drug Infusion Pump

Drug infusion pumps made by Hospira and other companies are vulnerable to hackers. Hospira has more than 400,000 pumps in hospitals around the world yet hackers can take control of any of them and change the amount of drugs they administer to patients, putting their lives at risk.

Billy Rios , one of the researchers that performed security tests on Hospira pumps, was faced with the seriousness of hacking vulnerabilities on a very personal level1. First he demonstrated that it was possible to reverse engineer Hospira pumps and then he found himself at the mercy of the very same pump when he paid an unscheduled visit to a local emergency room. For Rios, that was the moment when the reality finally sunk in of how life threatening it is for someone to hack into these machines. And yet, Hospira still has five models that are vulnerable, and similar pumps from other manufacturers are still vulnerable as well.

iStan.

iStan is a $100,000 medical dummy that is equipped with robotics to mimic the human cardiovascular, respiratory, and neurological systems. iStan was hacked into by researchers from the University of South Alabama and “killed him” by altering his pacemaker. This caused many to wake up to the fact that if iStan can be hacked into, so can the life saving devices in living, breathing human beings. The next time this happens, it could be someone’s insulin pump that is hacked into. Seriously.

Medtronic’s Paradigm 512, 522, 712, and 722 insulin pumps.  

Insulin pumps manage blood glucose levels. Commands are sent to the pump telling it how much glucose a patient needs. And yet, these commands are not encrypted or authenticated and could easily be intercepted by anyone near it. If the commands are intercepted they could be modified or replaced and deliver a deadly dose of insulin.  

Implantable Cardioverter Defibrillators (ICDs).

ICDs are implanted in patients for the purpose of delivering shocks when there are signs of cardiac arrest. The defibrillator uses a Bluetooth stack for configuring the device and delivering the shocks. Unfortunately, this Bluetooth information can be hijacked or disabled by a hacker by simply guessing an easy password.

X-Ray Systems

X-Ray Systems Hospitals and staff generally have safe and secure methods for accessing and viewing patient x-rays.  The computers that are used to access patient X-rays require authentication and track who accesses the images.  Scott Erven, from Essentia Health2 , found that these computers are backed up on a centralized storage system. The centralized system does not require authentication and does not track who accesses the images, so this poses a serious security risk for patient privacy and misuse.

Blood Refrigeration Units.

Hospitals use refrigeration systems to preserve blood and medication. The refrigeration units have a web interface that can be used to set the temperature of the unit remotely. The system has a hardcoded password that’s embedded in the system by the manufacturer. Still, there’s a security risk because hackers can decipher this password. Once they hack into the system they can shut the system off, turn off any alerts, or even alter the temperature to spoil the contents.  

CT Scans.

Security researchers and professionals have been able to hack into CT scanning equipment for a long time. Hackers can assess the configuration files of scanning equipment and change the radiation levels. If changes are made without the medical professionals knowledge, a patient can be in danger of receiving too much radiation.

When we think of hacking we think of worms, trojans, and viruses. We think of losing money from our bank accounts and having our identity stolen. The thought of having a life saving device hacked into is not usually on our minds, but research shows it’s something we are going to have to face. Medical devices such as pacemakers, insulin pumps, and scanning equipment contain networked and software based equipment. As such, they need the same protections as our home computers, if not more so, because this is equipment is nestled inside us and can make or break a life.