Hospitals have an increasing number of internet-enabled devices, all of which are hackable end points. Some connected devices, when infiltrated by a malicious agent, now pose a threat to people’s personal health and safety.
The potential threat of connected devices used in healthcare was brought to light after independent cyber security researcher Billy Rios announced that hospital drug pumps produced by Hospira, a leading medical supplier in the US, could be hacked due to vulnerabilities.
In a blog post (http://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulner...), Billy précised that he had found that drug library updates – the lower and upper limits for the dosage of medicine that a patient can safely receive – could be changed remotely.
This led the US Food and Drug Administration (FDA) to take a previously unprecedented stance of strongly discouraging hospitals from using this brand of drug pump over fears of hacking.
The issues were related to design and insecure deployment
Some of vulnerabilities found by Billy Rios include:
•The ability to forge drug library updates to the infusion pump
•Unauthenticated telnet shell to root to the communications module
•Identical hardcoded credentials (service credentials) across different device lines
•Identical private keys across different device lines
•Identical encryption certificates across different device lines
•A slew of outdated software (>100 different vulnerabilities)
This case demonstrates the significant threat that connected devices pose to patient care if they are infiltrated by a malicious agent. Hospitals now have a lot more cyber threats to grapple with – it’s no longer just data but lives on the line.