It’s Insanely Easy to Hack Hospital Equipment

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2014/04/hospital-equipment-vulnerable/

By Kim Zetter
Threat Level
Wired.com
04.25.14

When Scott Erven was given free rein to roam through all of the medical 
equipment used at a large chain of Midwest health care facilities, he knew 
he would find security problems–but he wasn’t prepared for just how bad it 
would be.

In a study spanning two years, Erven and his team found drug infusion 
pumps–for delivering morphine drips, chemotherapy and antibiotics–that can 
be remotely manipulated to change the dosage doled out to patients; 
Bluetooth-enabled defibrillators that can be manipulated to deliver random 
shocks to a patient’s heart or prevent a medically needed shock from 
occurring; X-rays that can be accessed by outsiders lurking on a 
hospital’s network; temperature settings on refrigerators storing blood 
and drugs that can be reset, causing spoilage; and digital medical records 
that can be altered to cause physicians to misdiagnose, prescribe the 
wrong drugs or administer unwarranted care.

Erven's team also found that, in some cases, they could blue-screen 
devices and restart or reboot them to wipe out the configuration settings, 
allowing an attacker to take critical equipment down during emergencies or 
crash all of the testing equipment in a lab and reset the configuration to 
factory settings.

"Many hospitals are unaware of the high risk associated with these 
devices," Erven says. "Even though research has been done to show the 
risks, health care organizations haven’t taken notice. They aren't doing 
the testing they need to do and need to focus on assessing their risks."

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/