Feeds

back to article DHS warns of vulns in hospital medical equipment

The US Department of Homeland Security has warned hospitals and health clinics that many of the electronic medical devices in use at their facilities may be vulnerable to cybersecurity attacks. The affected devices include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient …

COMMENTS

This topic is closed for new posts.
Bronze badge
Joke

Scary if so...

Talk about creating "sleeper cells". Van Winkle would be REALLY RIPPED by such a gassly scheme...

0
0
Silver badge
Unhappy

Medical Equipment

'They' tell everyone that a big part of medical expenses are due to the capital investment required by Drs and hospitals. New features are added to centralize data collection a facilitate chart consolidation and the price goes even higher. New features must be disabled, eliminating efficiencies that were supposed to drive costs down, but still the price goes higher. New machines with elementary level coding best practices must now be purchased, costs grow some more.

The manufacturers of these devices should be required to update them at their own expense. This is already looking like a 'critical' situation that will require the hospitals to request emergency (tax) funds from state and federal agencies. What kind of douche nozzles hardcore passwords into devices. Jesus that's stupid.

3
1

Maybe

How about having the monitoring equipment record to a "patient monitor" located, say, on the equipment panel beside the hospital bed. Then, a central sever could poll the "patient monitor" for info, rather than the individual equipment. That way, the equipment could be isolated from the network, and would not require password mods, etc. Security could focus on protecting access to the "patient monitor", which could be handled by each hospital or central monitoring location as they see fit.

1
1
Pint

Re: Maybe

Would work nicely if that pesky plug & play interoperability (including all that semantic guff) was fixed and used... unless of course (@ Don Jefe) a single source of equipment is preferable at ransom-level cost!

0
0

Predictable consequences

There goes the plot for the next Tom Cruise movie- th' President, or some other indispensable person, is about to undergo urgent life-saving surgery, BUT THE TERRORISTS HAVE HACKED THE OPERATING THEATER EQUIPMENT!!!

Can our plucky little scientologist (plus inevitable female sidekick with white hat skills) save the day?

6
0
M7S
Bronze badge

Re: Predictable consequences

It's already been done. Remote hacking of an implanted defibrillator (or very similar) was in Homeland

0
0
Flame

Predicted consequences

More to the point, security researchers have been flagging-up these vulnerabilities for several years (e.g. Jerome Radcliffe and his Medtronic insulin pump) with the uniform response from device manufacturers: "Nothing to see here, this isn't a problem (and if it becomes a problem we may sue you for making it public)".

Given this attitude by device manufacturers (and the likelihood that the DHS's intervention is more to do with self-publicity/funding than genuine human welfare/security) the suggestions above that they will simply use this as an opportunity to inflate profits by producing "secure" devices (any bets on an "unhackable/terrorist-proof" wifi insulin pump "protected" by WEP?) seem all too likely.

</cynic>

0
0
Silver badge

Updates and FDA regs

Most machines in hospitals run Windows, most are connected to the network and almost all have the auto update turned off - is anyone surprised?

3
1
Bronze badge

Re: Updates and FDA regs

Luckily in the UK the NHS avoids all this by only having equipment that was designed before the internet was a thing and all PC's run versions of windows so elderly that none of these young hackers remember how to hack them.......

3
0
Anonymous Coward

Re: Updates and FDA regs

And the hospital equipment uses Internet Explorer 6.0 and no anti-virus programs installed

0
0
Bronze badge
Windows

Re: Updates and FDA regs

I have personal experience of medical/scientific equipment controlled by networked PCs being broken by their controlling PCs after auto updates have been installed. The equipment was originally isolated from the Internet as it was "mission critical" - Then the IT support contractor persuaded the powers that be that it should be connected, so that it could be automatically updated because "it could get a virus unless it was updated".

1
0
Linux

Medical devices and the Internet

"The US Department of Homeland Security has warned hospitals and health clinics that many of the electronic medical devices in use at their facilities may be vulnerable to cybersecurity attacks.

"

Then don't fu****g connect them directly to the Internet ...

7
1
Anonymous Coward

Air gap

Doesen't matter, if they use RF anywhere (even a proprietry non-standard standard) then they are vulnerable to sideband interference attacks.

Say from those nice HomePlug adaptors that someone installed because "adding an extra LAN cable would cost £££" a few hundred feet away, leaking in through the mains wiring or suchlike.

I seem to recall that Freeview is "allergic" to Homeplug adaptors with a certain frequency spread, the newer more expensive ones actually include notching for this reason.

Same with 4G phones where the transmitter is turned on by default even where no 4G coverage exists, the equipment was never designed to function with such extreme interference.

disclaimer:- I used to work with said equipment :-)

1
0
WTF?

Why the hell are these on a network, let alone connected to the internet. All of this sort of thing should surely be completely standalone with no communication protocols to other devices.

2
1
Bronze badge

Because we don't spend every minute at the bed side.....

....the devices are networked so they can send data to remote monitoring stations at the other end of the ward. That way the person caring for the patients can see on just one screen every patient's status indicators (like ECG, oxygen saturations, arterial blood pressure, respiration rates etc.) as well as being alerted if there is a problem (like a line blockage) with any infusion pumps or other equipment attached to the patient.

Visual direct checks are nice but you don't have enough people to directly observe every patient for every minute of the day.

For the most part these systems are isolated from other networking (mostly so that other network issues don't interfere with the operation of vital monitoring rather than to protect the monitors from external influence) but these devices are often updated with firmware duing maintenance cycles and that's where the malware could gain entry.

0
0

Anasthesia?

Anaesthesia, surely.

0
0
Silver badge

I hate to sound like a broken record, but...

Yeah, I'm to mention the "c" word again.

Cloud.

There I said it.

0
0
This topic is closed for new posts.