The idea that hackers could kill somebody in a hospital reads like a bad TV show logline. Like something you’d see on CSI: Cyber, which is full of questionable computer science and silly leaps in logic. But a new, two-year evaluation of hospital digital security shows that just the opposite is true and, in theory at least, hackers really could attack patients with the stroke of a key.
The issue is that digital security, in hospitals, is focused on protecting patient records, part of complying with federal mandates. Unfortunately, as a group of white-hat hackers found, that means the security on everything else is dangerously lax. Among the patient attack scenarios laid out, active medical devices like pacemakers and insulin pumps could be compromised to deny treatment or overdose the patient, pharmacy records could be altered to provide patients with the wrong prescription, and even the fire suppression systems could be triggered during surgery.
Unfortunately, there’s no one root cause for the lack of security here. Everything from poor training to old hardware to custom-engineered software that isn’t properly tested comes up as an issue. Just like your fridge can compromise your GMail or your Nissan Leaf could have its battery run down by anybody who knew your VIN, a lot of medical devices have poorly considered security that hospital staff might not even be aware of. In some cases, the hackers were able to breach the system just by leaving USB drives laying around and waiting for hospital staff to plug them into the network, or even log into the system using a publicly accessible terminal.
The good news is that there’s been no attempt to assassinate somebody with an incorrect medication order or by delaying their surgery just yet. But unless hospitals tighten up their digital security, it may only be a matter of time.
(Via Security Evaluators)