Patient Monitors Altered, Drug Dispensary Popped In Colossal Hospital Hack Test

It's not just hospital networks that are in danger; mask.of.sanity writes with this story at The Register: Security researchers have exploited notoriously porous hospital networks to gain access to, and tamper with, critical medical equipment in attacks they say could put lives in danger. In tests, hospital hackers from the Independent Security Evaluators research team popped patient monitors, making them display false readings which could result in medical responses that injury or kill patients. Full paper here.

Well

[jarablue]

Um, don't hook them up to the network? Have nurses do actual work with written data instead of some need with always being online? I could be talking out of my ass here but everything doesn't need to be online. Really?

Re:

[Anonymous Coward]

1973 called, they want their medical technology back. Please include a supply of leaches and a decent tome on the four medical humors. Oh, and a bone saw.

Re:

[NatasRevol]

Not with the cheapest solution, that's for sure.

Re:

[sjames]

All bypassed by a USB stick plugged in at the Nurse's station.

Re:

[Khyber]

Leeches are still used medically today and with good reason, you ill-educated nitwit.

Ditto bone saws.

Re:

[BigMattyC]

Good for you, realizing you're talking out of your ass. How do you think electronic medical records get updated, exactly? God forbid we try and track a patient long term, especially those with complex medical issues.

Re:

[Lisias]

How do you think electronic medical records get updated, exactly?

Using a secure intranet, bridged only to authorised pars using a VPN ?

Re:

[Lisias]

You realize that hospitals have dedicated IT staff that take care of this sort of stuff, right? There's no need for hospital administrators to be setting up VPNs.

And I think this is exactly the problem. One that doesn't knows squat about the technology hires guys that can or can not know something about the technology - and from this point, every script kiddie in the World became a dangerous, perfidious, Evil Geniuses dedicated to Terrorism(tm). What's make easier staying in the job that admitting that you don't know squat about what you are doing, neither your boss knows shit about how to hire good tech staff.

Re:

[stealth_finger]

Good for you, realizing you're talking out of your ass. How do you think electronic medical records get updated, exactly? God forbid we try and track a patient long term, especially those with complex medical issues.

So what, no one got sick before networks and if they did they were proper fucked. Is that what you're saying? And why do they need to be exposed to the wider internet anyway?

Re:

[armanox]

In a way that's what happened with my father for a while - departments couldn't get records from another department in the same hospital, sometimes even when we hand delivered it!

Re:

[Khyber]

"God forbid we try and track a patient long term, especially those with complex medical issues."

What, too lazy to use a fucking fax machine?

What're you going to do when your medical records system loses power and you can't access patient information?

That's why every doctor's office I go to keeps a CARBON COPY BACKUP.

Re:

[omnichad]

And how do you query data from a paper fax? Some of these devices generate a massive amount of data (e.g. a heart monitor that records ECG signal data).

Whether there's a backup, there still needs to be a digital repository. I'd argue the devices should not be remote accessible and only push out data and pull commands from the central server, but that's still going to have security holes.

Re:

[Khyber]

"And how do you query data from a paper fax?"

I see you know jack shit about medical billing. Here, let me help you with this very non-complex and highly reliable system we call a paper trail.

Phone call from one doctor to a different doctor's office: "Hi, this is Dr. X, I need records for our common Patient Y regarding their last checkup and test work performed on or around such and such date at your facility. Will you fax that over to me at 888-555-1212?"

Fax machine: Spits outpatient records after they have

Re: Well

[omnichad]

Who's talking about that? We're talking about high precision monitoring equipment, aren't we?

Paper records suck to manage

[sjbe]

What, too lazy to use a fucking fax machine?

Great, now you have multiple copies in random locations with no cohesion AND you need extra staff to manage all the extra paper. Congratulations for taking a bad system and making it worse.

What're you going to do when your medical records system loses power and you can't access patient information?

Every hospital has fallback procedures for this exact scenario. These include robust power backup including generators. Furthermore even if there is a complete power loss for a time paper records are not going to make things better, especially in a large hospital. I don't think you comprehend just how hugely inefficie

Re:

[Khyber]

"Great, now you have multiple copies in random locations with no cohesion AND you need extra staff to manage all the extra paper."

Apparently you don't know what the fuck is entailed in a medical records release. Generally, everything is sent, TO MAINTAIN COHESION IN DOCUMENTED PERFORMED MEDICAL PROCEDURES.

No point in trying to reply to the rest of your comment if you can't even make that logical conclusion.

Re: Paper records suck to manage

[sjbe]

Apparently you don't understand medical records exchanges routinely do not include complete records. Even when they do send complete records they are typically required to keep a copy by law of procedures performed so there are multiple non-cohesive copies. Get a clue.

Re:

[armanox]

You do realize how insecure and ineffective fax tech actually is, right?

Re:

[Khyber]

It's more secure than any network currently online has proven to be.

Re:

[EndlessNameless]

And when the doctor needs to submit information to the insurance company so they will pay for procedures, is he supposed to handwrite a duplicate? Or maybe he should use a typewriter? Surely he shouldn't fax a copy over the insecure POTS network.

Healthcare costs are already exploding, and now we're going to handle all records and payment processing by hand? Efficiency is one thing that no industry ever gives up willingly.

Modern doctors even use digital prescriptions. The last time I needed one, the doctor a

Re:

[pnutjam]

Digital is only convenient for the insurance companies, not the doctors. Most would prefer to go back to dictation.

Paper records suck

[sjbe]

Um, don't hook them up to the network?

Do we really need to enumerate the reasons that being able to transmit data over a network is helpful?

Have nurses do actual work with written data instead of some need with always being online?

Because doing that is expensive, difficult to share, error prone, inefficient and unnecessary. Paper records only really works for a small office where the paper can easily follow the patient and isn't likely to be needed elsewhere. That is rarely the case these days.

I could be talking out of my ass here but everything doesn't need to be online. Really?

You are talking out your ass. We network many (not all) medical devices because there are real, measurable benefits from doing so, both fin

Re:

[Nethemas the Great]

You forgot to read the bit about leaving USB drives scattered about and dumb staff looking at what was on them--on their offline network. But the short answer is no, they cannot be offline. Human error and latency is a greater risk than the occasional drive by hack. Hospital IT, medical device manufactures, etc. simply have not prioritized, nor resourced security sufficiently. Most people in the know, have simply made it a matter of course to stay quite about the issues and hope to get away with not doi

Re:

[aaarrrgggh]

One of the big issues is drug accountability. As an example, a Pyxis machines has multiple drawers and compartments and log who gets what when. The chain of custody then requires it to be logged in when administered to a patient.

"Popped"

[Anonymous Coward]

This word is used twice this way in the summary. What does it mean to "pop" a dispensary or patient monitor?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[danbert8]

Agreed. Worst title ever. I've read it like 7 times and I still have no idea what it is saying. Maybe that comma should be a semi-colon?

Re:

[gstoddart]

Sadly, it's verbatim from the source article at the Register. So, blame them.

What should really alarm is this:

The perennial lure of USB as bait works too. The team dropped 18 sticks around hospitals loaded with malware that executed on nursing stations - terminals that are something of a gold mine for attackers because they retain harvestable credentials for nurses and physicians who log in.

From a humble USB stick, the hackers say they busted in to hospital drug dispensary service. That work-in-progress co

Re:

[stealth_finger]

This word is used twice this way in the summary. What does it mean to "pop" a dispensary or patient monitor?

As in popped it's cherry? That's all I can think.

Re:

[omnichad]

The Register has some weird terminology. For example, referring to Google as "The Chocolate Factory"

Re:

[sjames]

Haven't you heard? Everything is inflatable these days. It really cuts down of storage requirements!

Security? Thats for nerds.

[bazmail]

This is symptomatic of the general tech ignorant populace not caring about security intil its too late. This incident will blow over and security will be forgotten about again until the real bad guys come calling.

The new IoT stuff is wide open to hackers too. People seem to only only care if they can control something with their iphone so can show off to friends. The sales people and manufacturers know this all too well and don't give a fuck about it.

Re:

[Lisias]

The new IoT stuff is wide open to hackers too. People seem to only only care if they can control something with their iphone so can show off to friends. The sales people and manufacturers know this all too well and don't give a fuck about it.

I'm stocking popcorns for the show. :-)

And building a IoT secure server for the few that want some kind of protection and isolation.

There's no such a thing for a 100% secure system, but a 98% will do for mundane things. No one will spend the effort just to play tricks on the customer's living room illumination.

Re:

[Fnord666]

There's no such a thing for a 100% secure system, but a 98% will do for mundane things. No one will spend the effort just to play tricks on the customer's living room illumination.

The nice thing about computers is that they can automate routine tasks. A hacker doesn't have to spend any effort "just to play tricks", he can have his computer to it automatically for him just for the lulz.

Re:

[Lisias]

The nice thing about computers is that they can automate routine tasks. A hacker doesn't have to spend any effort "just to play tricks", he can have his computer to it automatically for him just for the lulz.

And the nicer thing about Computers is that you can automate counter-measures and create honey-pots.

One really good hacker that would hack my servers by hand will eventually succeed - because he is smart enough to detect the honey pot and avoid being locked out while searching for the vulnerability.

But a bot? I have samples from years of server logs that I use to build a database of the most common attacks. None of these attacks will be a problem to me.

But a engaged, persistent human hacker? This guy is a t

Re:

[Chris Mattern]

No one will spend the effort just to play tricks on the customer's living room illumination.

Particularly when then are so many easier targets if he's interested in that kind of fun. "I don't have to be faster than the bear; I just have to be faster than you."

Re:

[Bengie]

"98%: secure is only useful when you're special snowflake and a hacker must spend time figuring out your system. If you're 98% secure and your system is identical to hundreds of others, you will just be caught in a net instead of harpooned.

Re:Security? Thats for nerds. And Lawyers

[McLae]

When the first lawsuit comes for a patient injury due to poor security, every hospital in the country will do a crash security program! With consultants, expert recommendations, the whole nine yards.

When Security gets added to the Joint Commission reviews, that is when it will stick.

Come on

[nospam007]

For the last 100 years any idiot could 'hack' the patient file hanging on the foot of the bed with a tool called a 'pen', changing 5 milligrams to 75 or whatever.
Now you need some brains.

Re:

[Fish (David Trout)]

For the last 100 years any idiot could 'hack' the patient file hanging on the foot of the bed with a tool called a 'pen', changing 5 milligrams to 75 or whatever.

Quite true, but in order to do that you had to be physically present.

Now you need some brains.

Brains is not the problem.

The fact that you can do such nefarious hacking remotely is the problem. You no longer need to be physically present.

THAT is what is concerning.

Re:

[jomama717]

"Hacking" a hand-written chart requires physical access to the chart, which requires physical access to the hospital room, which means you'll likely be seen by the front desk (who would need to actively let you in), security cameras, nurses, the patient etc. If the networked devices are vulnerable you could modify every chart from the back of a van in the parking lot or, worst case, from your parents' basement.

Re:

[swb]

My son was in intensive care at a major children's hospital for a week two years ago. While there was front desk security limiting access to the hospital past the public lobby area, once you were past that point it was trivial to go anywhere, including intensive care.

Intensive care itself had inherent limits on freedom to mess with patients in their rooms, but only because most patients in intensive care had dedicated, 24x7 nursing assigned in room.

The normal patient rooms didn't have any of these limitati

Re:

[gurps_npc]

Doing so required physical access, which for the last 20 years required exposure to video cameras.

The paper says ...

[Ihlosi]

The paper says they didn't hack the patient monitor, only considered such devices as possible attack targets.

Re:

[SlaveToTheGrind]

Where do you see that? Page 36 sure sounds like they did:

On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks , such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm.

Wireless Monitors Commonplace

[Anonymous Coward]

Most hospitals are now going with wireless monitors in many in-patient wings of a hospital. Emergency rooms still use tethered technology on the patient. This is actually a good thing as it provides patients the freedom to move around and go to the bathroom without waiting for a nurse or unhooking from monitoring equipment. If anyone would actually exploit a wireless device to harm someone in a hospital that is already sick well there's a special place in hell waiting for them.

Morphine Pump

[Anonymous Coward]

My wife was hooked up to one of those automated morphine pumps for a day. Inside is a little stepper motor that pushes the plunger of a HUGE syringe full of drugs (under lock and key, of course).

That thing sure made me nervous. One software bug and that thing would push out enough morphine to kill an elephant. PLEASE don't hook that thing up to a network for ANY reason.

Time to buy BBRY

[ArhcAngel]

As more of these high profile hacks emerge BlackBerry's expertise is suddenly in vogue again. And BlackBerry is actually well positioned [blackberry.com] to take advantage. I think with Chen at the helm they've got a good shot at taking a lion share of securing medical and IoT. [blackberry.com]

Re:

[ArhcAngel]

To whomever modded this offtopic you might try actually following the links. Blackberry Healthcare is at the forefront of securing your medical records while expanding your doctor's ability to recall those records on the fly.

Stupid Headline

[swell]

Why does every word start with a capital letter?
Is it a deliberate attempt to make it unreadable?
WTF does 'popped' mean here?
Do the editors ever read this crap?

Thank you internet of things

[Ol Olsoc]

This is what you bring us.

Re:

[Ol Olsoc]

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

In the end, it isn't. Wordsmith all you like, and do whatever allows you to rationalize that it isn't. but they are things attached to a network, an enjoy all the wonderful side effects that teh connected toaster. After all, that is exactly what the article is about.

Colgnitive dissonance runs strong, but fear not, you can change the truth merely by denying it.

Re:

[Ol Olsoc]

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

The internet of things, is things that are attached to th internet. This might be your toaster, this might ba an X-ray machine, it might be a home heating system, or it might be a wifi enabled insulin pump or internet connected morphine administration unit or a refrigerator or a home surveillance or patient surviellance system, or Mir or CAT scanner or power plant. in short, a "thing" that gets instructions or programming or gives feedback via internal network or the internet.

Sorry, but I'm accustomed to

easy assassination

[WindBourne]

No doubt, assassination has already occurred via this method. However, because so much of the medical world has no real understanding of security, this has gone undetected.