It’s Way Too Easy to Hack the Hospital

If you recall this post from 2011, you knew this day was coming.

The culture of “Patch & Pray” will be the downfall so long as America chooses to be reactive over proactive.

 

Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers

In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers. His roster of clients has included the Pentagon, major defense contractors, Microsoft, Google, and some others he can’t talk about.

But when he showed up, he was surprised to find himself in a conference room full of familiar faces. The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.” The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.

The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.

“Someone is going to take it to the next level. They always do,” says Rios. “The second someone tries to do this, they’ll be able to do it. The only barrier is the goodwill of a stranger.”

Shortly after flying home from the Mayo gig, Rios ordered his first device—a Hospira Symbiq infusion pump. He wasn’t targeting that particular manufacturer or model to investigate; he simply happened to find one posted on EBay for about $100. It was an odd feeling, putting it in his online shopping cart. Was buying one of these without some sort of license even legal? he wondered. Is it OK to crack this open?

Infusion pumps can be found in almost every hospital room, usually affixed to a metal stand next to the patient’s bed, automatically delivering intravenous drips, injectable drugs, or other fluids into a patient’s bloodstream. Hospira, a company that was bought by Pfizer this year, is a leading manufacturer of the devices, with several different models on the market. On the company’s website, an article explains that “smart pumps” are designed to improve patient safety by automating intravenous drug delivery, which it says accounts for 56 percent of all medication errors.

Rios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it. He found that he could set the machine to dump an entire vial of medication into a patient. A doctor or nurse standing in front of the machine might be able to spot such a manipulation and stop the infusion before the entire vial empties, but a hospital staff member keeping an eye on the pump from a centralized monitoring station wouldn’t notice a thing, he says.

In the spring of 2014, Rios typed up his findings and sent them to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In his report, he listed the vulnerabilities he had found and suggested that Hospira conduct further analysis to answer two questions: Could the same vulnerabilities exist in other Hospira devices? And what potential consequences could the flaws present for patients? DHS in turn contacted the Food and Drug Administration, which forwarded the report to Hospira. Months passed, and Rios got no response from the manufacturer and received no indication that government regulators planned to take action.

“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’ ” Rios says.

On a sunny fall day in Half Moon Bay, Rios grabs an iced coffee at a Starbucks in the city center. He’s fresh off a week of work in Oklahoma—one of those assignments he can’t talk about—and he’s looking forward to some family time. Maybe in a spare moment, he’ll grab one of the devices in his office and see what flaws he can find inside it.

One of those machines is exerting a powerful pull on him, as if begging to be hacked. After he was released from the hospital last year, he surfed around online and found the same CareFusion pump that had been tethered to him for two weeks. It now sits near a filing cabinet in his office.

“It’s next,” Rios says.

Full article: It’s Way Too Easy to Hack the Hospital (BloombergBusiness)

Comments are closed.