Another month another medical device that can be hacked

There have been reports today that a new hacking threat has the medical community alarmed as a security researcher says he’s discovered a way for hackers to change the dosage of medications delivered by a patient’s drug pump.

The security researcher, Billy Rios, had been testing several drug pumps for vulnerabilities. Earlier this year, he discovered that a hacker would be able to change the maximum level allowed for certain drugs, meaning that, if a higher dose of a particular drug was given, the device would not alert medical staff. The devices all have a “drug library” that holds information about maximum dosages for different medications, and Rios had discovered that access to that library didn’t have to be authenticated, and anyone on the hospital’s network could load a new one, with higher maximum dosages. 

This wasn’t too alarming, since Rios hadn’t seen any way to actually change the dosage being administered itself. But then he kept on searching. He discovered that the same connection that exists in the pump allowing Hospira to access and update the device’s firmware, can also be accessed by hackers to upload a faulty update. The system doesn’t require authenticated and digitally signed updates. If you can update the firmware on the main board, you can make the pump do whatever you like.

Commenting on this rather scary story, Lancope CTO, TK Keanini, said:

“The Internet connects computers around the world, and these devices have transformed over the years.  From giant systems that fill an entire room, to the Internet of Things, the Internet also connects us with cyber criminals; unfortunately, you will be a target of their activities, frequently without being aware. Now that practically every device we use – from printers to thermostats to medical equipment – is connected to the Internet, the security of ‘things’ has become a scarily large topic. In fact, by 2020, 26 billion objects will be connected to the internet. Unless we can quickly adapt to the Internet of Things, the next compromise will likely be on a massive scale and could affect the most intimate levels of our lives. Today you may tend to the security of maybe several devices. However, with the Internet of Things, you will add your car, all of the home and even medical devices as this story mentions. These talented bad guys will find a way to compromise the system and then you will need an update. Most people will never update these Internet of Things devices and herein lies the real issue.  Securing a system is about constantly being able to adapt to the changing threat environment. We have a hard enough time updating all our current applications, now add 30 more devices from 10 different vendors and you see the problem.”