Computer Viruses Are "Rampant" on Medical Devices in Hospitals; Researcher shows pacemakers can be hacked to kill

  • Posted by a hidden member.
    Log in to view his profile

    Oct 17, 2012 8:27 PM GMT
    http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/

    A meeting of government officials reveals that medical equipment is becoming riddled with malware.

    Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

    While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

    Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 17, 2012 9:22 PM GMT
    Who would ever dream of a virus being in a hospitalicon_question.gif
  • Dominican_Gen...

    Posts: 379

    Oct 17, 2012 9:32 PM GMT
    All it takes is a big negligence lawsuit and the problem will be solved.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 17, 2012 10:15 PM GMT
    There's a business opportunity there.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 17, 2012 10:16 PM GMT
    paulflexes saidWho would ever dream of a virus being in a hospitalicon_question.gif
    OK, yes, it made me smile icon_lol.gif +1
  • Posted by a hidden member.
    Log in to view his profile

    Oct 17, 2012 11:52 PM GMT
    U.S. hospitals are barely starting to track patients in anything more sophisticated than Microsoft Excel, if even that. A friend of mine helped implement a third-party patient tracking system for a hospital chain about ten years ago. When returning ten years later working with another consulting firm, that hospital hadn't gotten any further...bugs in the original program were still the same bugs; issues they'd identified to be necessary improvements--to the software manufacturer--hadn't been improved.

    No way of knowing if these programmatic bugs had any effect on patient health as far as followup on medications or physical therapy. No, the high-dollar vanguard of software implementation has always been accounts receivable.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 18, 2012 12:06 AM GMT
    I can vouch for this. It took my hospital's IS department (which is actually quite sophisticated in its use of information technology) a full year to upgrade from IE 6 to IE 7, when IE 9 is already out. Their rationale? Cerner (their software vendor) won't support Powerchart and IE 7 until then.

    And I still can't use Chrome or Firefox when logging on. icon_evil.gif
  • Posted by a hidden member.
    Log in to view his profile

    Oct 18, 2012 12:55 AM GMT
    As a dietetic intern, we are having to learn to use their DOS-based medical program...It is fucking 2012. I shouldn't have to use the keyboard instead of a mouse... I don't know how much hospitals make, but I'd think they'd make a fair amount for all of the 50 meds that each inpatient is on.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 18, 2012 3:28 AM GMT
    Seriously, this is becoming a huge issue everywhere. My hospital even has Iphone implemented with an app for entering patient's vital signs for staff. It's not a problem now, but who knows what hackers will create more powerful.
  • Posted by a hidden member.
    Log in to view his profile

    Oct 19, 2012 1:27 PM GMT
    http://www.scmagazine.com.au/News/319508,hacked-terminals-capable-of-causing-pacemaker-mass-murder.aspx

    Security holes enable attackers to switch off pacemakers, rewrite firmware from 30 feet away.

    IOActive researcher Barnaby Jack has reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.

    The effect of the wireless attacks could not be overstated — in a speech at the BreakPoint security conference in Melbourne today, Jack said such attacks were tantamount to “anonymous assassination”, and in a realistic but worse-case scenario, “mass murder”.

    In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop.

    The pacemakers contained a “secret function” which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity.

    Each device would return model and serial numbers.

    “With that information, we have enough information to authenticate with any device in range,” Jack said.

    In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server.