General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsWhy It’s Insanely Easy to Hack Hospital Equipment
http://www.wired.com/2014/04/hospital-equipment-vulnerable/When Scott Erven was given free reign to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problemsbut he wasnt prepared for just how bad it would be.
In a study spanning two years, Erven and his team found drug infusion pumpsfor delivering morphine drips, chemotherapy and antibioticsthat can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patients heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospitals network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
Ervens team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.
Many hospitals are unaware of the high risk associated with these devices, Erven says. Even though research has been done to show the risks, health care organizations havent taken notice. They arent doing the testing they need to do and need to focus on assessing their risks.
<snip>
http://www.wired.com/2014/04/hospital-equipment-vulnerable/
MineralMan
(146,317 posts)I imagine that the level of threat for them is very small. That's not to say that they shouldn't utilize some sort of security to control access, but at what level? Password required? Well, that's a good idea, but it would be highly likely that the same password would be used at healthcare facilities for all equipment, since a variety of people would need access on a daily basis. So, that wouldn't be very secure, and wouldn't really be secure at all after a very short time.
The balance between accessibility and security is a difficult one, so the level of threat is part of the assessment.
Who would be likely to hack these devices? That's the question that is, or should be, asked. Convenience for the caregivers who must use these devices and on a frequent basis probably overrides the security concerns, I'd think.
LiberalArkie
(15,716 posts)MineralMan
(146,317 posts)I don't think the threat is really measurable in normal circumstances, though. Apparently, that feature can be disabled, if necessary. Most of the devices mentioned in the OP were hospital devices, and are controlled by caregivers, as needed. I can see real issues with strong security in that situation. Some of those issues might cause delays in care that is needed, and the risk of some unauthorized person accessing the devices or even knowing that they can be accessed seems vanishingly small to me.
cbayer
(146,218 posts)I can understand the need to increase security for particular patients, but do hospitals really need another layer of bueracratic mess to ensure that they have high level security on all their devices.
Many hospitals are barely making it and the ones that treat the poorest and neediest in our country are the ones struggling the most.
The money they have needs to be spent on patient care, not issues like this.
And is there any evidence that this is a problem in real life? Are the people who are "revealing" all of this in the business of selling the fix?
AllenSpangler
(1 post)Many experts say that generally hospitals are ignorant of the high risk linked with medical devices. Even though researchers usually warned about the risks, health care centers have not taken notice. The security experts knows that it's easy to hack some medical devices used in hospitals, thus security measures should be applied by the hospitals to avoid unauthorized access to such devices and encrypt all the data of patient.