Here’s a finding which should give us some pause. Just about every system in a hospital is insanely easy to hack:
When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be.
In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.
“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
This highlights something I’ve cautioned my clients about from time to time. You can’t take security for granted. It’s an attitude. If you don’t insist on and maintain system security in a systematic manner, your systems won’t be secure.
That applies to every organization from a retail store to a hospital but hospitals are a particularly horrifying example. I stopped doing business with Target flat when their security problems were revealed last year. When it turned out that the breach was due to malware having been injected into their point-of-sale systems, it was clear that the organization was simply not security-minded.