http://www.wired.com/2014/04/hospital-equipment-vulnerable/
By Kim Zetter
Threat Level
Wired.com
04.25.14
When Scott Erven was given free rein to roam through all of the medical
equipment used at a large chain of Midwest health care facilities, he knew
he would find security problems–but he wasn’t prepared for just how bad it
would be.
In a study spanning two years, Erven and his team found drug infusion
pumps–for delivering morphine drips, chemotherapy and antibiotics–that can
be remotely manipulated to change the dosage doled out to patients;
Bluetooth-enabled defibrillators that can be manipulated to deliver random
shocks to a patient’s heart or prevent a medically needed shock from
occurring; X-rays that can be accessed by outsiders lurking on a
hospital’s network; temperature settings on refrigerators storing blood
and drugs that can be reset, causing spoilage; and digital medical records
that can be altered to cause physicians to misdiagnose, prescribe the
wrong drugs or administer unwarranted care.
Erven's team also found that, in some cases, they could blue-screen
devices and restart or reboot them to wipe out the configuration settings,
allowing an attacker to take critical equipment down during emergencies or
crash all of the testing equipment in a lab and reset the configuration to
factory settings.
"Many hospitals are unaware of the high risk associated with these
devices," Erven says. "Even though research has been done to show the
risks, health care organizations haven’t taken notice. They aren't doing
the testing they need to do and need to focus on assessing their risks."
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
