Patient Monitors Altered, Drug Dispensary Popped In Colossal Hospital Hack Test

It's not just hospital networks that are in danger; mask.of.sanity writes with this story at The Register: Security researchers have exploited notoriously porous hospital networks to gain access to, and tamper with, critical medical equipment in attacks they say could put lives in danger. In tests, hospital hackers from the Independent Security Evaluators research team popped patient monitors, making them display false readings which could result in medical responses that injury or kill patients. Full paper here.

Well

[jarablue]

Um, don't hook them up to the network? Have nurses do actual work with written data instead of some need with always being online? I could be talking out of my ass here but everything doesn't need to be online. Really?

Re:Well

1973 called, they want their medical technology back. Please include a supply of leaches and a decent tome on the four medical humors. Oh, and a bone saw.

Re:Well

[BigMattyC]

Good for you, realizing you're talking out of your ass. How do you think electronic medical records get updated, exactly? God forbid we try and track a patient long term, especially those with complex medical issues.

Re:Well

[Lisias]

How do you think electronic medical records get updated, exactly?

Using a secure intranet, bridged only to authorised pars using a VPN ?

Re:Well

1973 called, they want their medical technology back. Please include a supply of leaches and a decent tome on the four medical humors. Oh, and a bone saw.

Speaking of decades ago, Common F. Sense is ringing in on the other line.

He wants to know where the fuck your firewall, private network, and VPN is, moron.

Re:Well

[NatasRevol]

Not with the cheapest solution, that's for sure.

Re:Well

[stealth_finger]

Good for you, realizing you're talking out of your ass. How do you think electronic medical records get updated, exactly? God forbid we try and track a patient long term, especially those with complex medical issues.

So what, no one got sick before networks and if they did they were proper fucked. Is that what you're saying? And why do they need to be exposed to the wider internet anyway?

Re:Well

[Khyber]

Leeches are still used medically today and with good reason, you ill-educated nitwit.

Ditto bone saws.

Re:Well

[Khyber]

"God forbid we try and track a patient long term, especially those with complex medical issues."

What, too lazy to use a fucking fax machine?

What're you going to do when your medical records system loses power and you can't access patient information?

That's why every doctor's office I go to keeps a CARBON COPY BACKUP.

Re:Well

Um, don't hook them up to the network? Have nurses do actual work with written data instead of some need with always being online?

I could be talking out of my ass here but everything doesn't need to be online. Really?

Yep, you certainly are talking out of your ass. We capture monitor data on some devices at up to 240 Hz. Good luck getting a nurse to do that. Even if it were humanly possible to do so, nurses generally bitch when you add 5 seconds of extra work to their usual workload.

Re:Well

You heard it here first, Hospital Administrators. Get out there and create your own hospital intranets. If you act now, you can ask this fellow to help you, there's no doubt he can set one up in an afternoon.

You realize that hospitals have dedicated IT staff that take care of this sort of stuff, right? There's no need for hospital administrators to be setting up VPNs.

Re:Well

"God forbid we try and track a patient long term, especially those with complex medical issues."

What, too lazy to use a fucking fax machine?

What're you going to do when your medical records system loses power and you can't access patient information?

That's why every doctor's office I go to keeps a CARBON COPY BACKUP.

Can you please provide me with the SQL I can use to join my Patients table with the faxed medical records? Our medical researchers would really appreciate it.

Try to refrain from further moronic comments until you actually get a clue what you are talking about. Thanks.

Re:Well

[EndlessNameless]

And when the doctor needs to submit information to the insurance company so they will pay for procedures, is he supposed to handwrite a duplicate? Or maybe he should use a typewriter? Surely he shouldn't fax a copy over the insecure POTS network.

Healthcare costs are already exploding, and now we're going to handle all records and payment processing by hand? Efficiency is one thing that no industry ever gives up willingly.

Modern doctors even use digital prescriptions. The last time I needed one, the doctor asked me if I would pick it up at a nearby pharmacy. I identified the CVS that was on my way home, and he sent it from his laptop. It was ready for pickup by the time I got there.

Given the convenience for both the doctor and the patient, the move to digital is not going to reverse even if you could ignore the economic benefits.

Talk up breaches and security and privacy so things can get fixed, but don't even bother trying to take it back offline. It simply won't happen.

Re:Well

[omnichad]

And how do you query data from a paper fax? Some of these devices generate a massive amount of data (e.g. a heart monitor that records ECG signal data).

Whether there's a backup, there still needs to be a digital repository. I'd argue the devices should not be remote accessible and only push out data and pull commands from the central server, but that's still going to have security holes.

Re:Well

[Lisias]

You realize that hospitals have dedicated IT staff that take care of this sort of stuff, right? There's no need for hospital administrators to be setting up VPNs.

And I think this is exactly the problem. One that doesn't knows squat about the technology hires guys that can or can not know something about the technology - and from this point, every script kiddie in the World became a dangerous, perfidious, Evil Geniuses dedicated to Terrorism(tm). What's make easier staying in the job that admitting that you don't know squat about what you are doing, neither your boss knows shit about how to hire good tech staff.

Re:Well

[sjames]

All bypassed by a USB stick plugged in at the Nurse's station.

Re:Well

[pnutjam]

Digital is only convenient for the insurance companies, not the doctors. Most would prefer to go back to dictation.

Re:Well

[Nethemas+the+Great]

You forgot to read the bit about leaving USB drives scattered about and dumb staff looking at what was on them--on their offline network. But the short answer is no, they cannot be offline. Human error and latency is a greater risk than the occasional drive by hack. Hospital IT, medical device manufactures, etc. simply have not prioritized, nor resourced security sufficiently. Most people in the know, have simply made it a matter of course to stay quite about the issues and hope to get away with not doing something about. Many others, are just simply clueless, lack training and/or improperly positioned.

Re:Well

[armanox]

You do realize how insecure and ineffective fax tech actually is, right?

Re:Well

[armanox]

In a way that's what happened with my father for a while - departments couldn't get records from another department in the same hospital, sometimes even when we hand delivered it!

Re:Well

Yes, but bone-saws are no longer the state-of-the-art for dealing with localized infections... which is what they were referring to.

Re:Well

[aaarrrgggh]

One of the big issues is drug accountability. As an example, a Pyxis machines has multiple drawers and compartments and log who gets what when. The chain of custody then requires it to be logged in when administered to a patient.

Re:Well

What's make easier staying in the job that admitting that you don't know squat about what you are doing, neither your boss knows shit about how to hire good tech staff.

English, motherfucker... Do. You. Speak. It?

[With apologies to Pulp Fiction...]

Re:Well

[Khyber]

"And how do you query data from a paper fax?"

I see you know jack shit about medical billing. Here, let me help you with this very non-complex and highly reliable system we call a paper trail.

Phone call from one doctor to a different doctor's office: "Hi, this is Dr. X, I need records for our common Patient Y regarding their last checkup and test work performed on or around such and such date at your facility. Will you fax that over to me at 888-555-1212?"

Fax machine: Spits outpatient records after they have been found and scanned, or transmitted to digital fax.

It's that fucking simple.

Re:Well

[Khyber]

It's more secure than any network currently online has proven to be.

Re: Well

[omnichad]

Who's talking about that? We're talking about high precision monitoring equipment, aren't we?

Re: Well

that's questionable. generally it isn't the hospital itself doing the hiring, but an agency the hospitals hire, which usually have focus on setting up teams for large it groups. some hospitals of course do this on their own, but those are usually university involved or affiliated to some entity

"Popped"

This word is used twice this way in the summary. What does it mean to "pop" a dispensary or patient monitor?

Re:"Popped"

[DigiShaman]

Explode!!! As in, fire, smoke, lightning!!! Kind of like how the crew of the Star trek Enterprise gets thrown halfway across the room from the console when a photon torpedo hits.

Re:"Popped"

[danbert8]

Agreed. Worst title ever. I've read it like 7 times and I still have no idea what it is saying. Maybe that comma should be a semi-colon?

Re:"Popped"

[gstoddart]

Sadly, it's verbatim from the source article at the Register. So, blame them.

What should really alarm is this:

The perennial lure of USB as bait works too. The team dropped 18 sticks around hospitals loaded with malware that executed on nursing stations - terminals that are something of a gold mine for attackers because they retain harvestable credentials for nurses and physicians who log in.

From a humble USB stick, the hackers say they busted in to hospital drug dispensary service. That work-in-progress could grant the team the ability to manipulate inventory. "If this medication were then given to a patient, it would likely harm or kill the patient," they say.

So, scattering around random USB sticks will cause hospital staff to go "ooh, shiny" and plug into computers used for medical purposes.

Basically there is a huge problem, likely not limited to hospitals, in which basic security is non-existent, and networks are way out of date and insecure to begin with.

I suspect a lot of corporations would fall for the exact same thing. And that's quite scary.

Re:"Popped"

[stealth_finger]

This word is used twice this way in the summary. What does it mean to "pop" a dispensary or patient monitor?

As in popped it's cherry? That's all I can think.

Re:"Popped"

[omnichad]

The Register has some weird terminology. For example, referring to Google as "The Chocolate Factory"

Re: "Popped"

In the case of "drug dispensary popped" they are referring to the automated dispensing cabnets located out of the pharmacy and in the local unit (such as the emergency room). "Popping" would mean the unauthorized unlocking of compartments so the wrong drug is dispensed or controlled substances can be stolen.

Re:"Popped"

[sjames]

Haven't you heard? Everything is inflatable these days. It really cuts down of storage requirements!

dispense with the sideshow bob media charades

fake history & heritage collapsing .. https://www.youtube.com/watch?v=MZdZSOZIb6c truth+mercy=justice,, cease fire. in the moms we trust...

If the patient survives that

Wait until they he gets the hospital bill.

Security? Thats for nerds.

[bazmail]

This is symptomatic of the general tech ignorant populace not caring about security intil its too late. This incident will blow over and security will be forgotten about again until the real bad guys come calling.

The new IoT stuff is wide open to hackers too. People seem to only only care if they can control something with their iphone so can show off to friends. The sales people and manufacturers know this all too well and don't give a fuck about it.

Re:Security? Thats for nerds.

[Lisias]

The new IoT stuff is wide open to hackers too. People seem to only only care if they can control something with their iphone so can show off to friends. The sales people and manufacturers know this all too well and don't give a fuck about it.

I'm stocking popcorns for the show. :-)

And building a IoT secure server for the few that want some kind of protection and isolation.

There's no such a thing for a 100% secure system, but a 98% will do for mundane things. No one will spend the effort just to play tricks on the customer's living room illumination.

Re:Security? Thats for nerds.

[Fnord666]

There's no such a thing for a 100% secure system, but a 98% will do for mundane things. No one will spend the effort just to play tricks on the customer's living room illumination.

The nice thing about computers is that they can automate routine tasks. A hacker doesn't have to spend any effort "just to play tricks", he can have his computer to it automatically for him just for the lulz.

Re:Security? Thats for nerds.

[Chris+Mattern]

No one will spend the effort just to play tricks on the customer's living room illumination.

Particularly when then are so many easier targets if he's interested in that kind of fun. "I don't have to be faster than the bear; I just have to be faster than you."

Re:Security? Thats for nerds.

[Lisias]

The nice thing about computers is that they can automate routine tasks. A hacker doesn't have to spend any effort "just to play tricks", he can have his computer to it automatically for him just for the lulz.

And the nicer thing about Computers is that you can automate counter-measures and create honey-pots.

One really good hacker that would hack my servers by hand will eventually succeed - because he is smart enough to detect the honey pot and avoid being locked out while searching for the vulnerability.

But a bot? I have samples from years of server logs that I use to build a database of the most common attacks. None of these attacks will be a problem to me.

But a engaged, persistent human hacker? This guy is a threat to me.

Re:Security? Thats for nerds.

[Bengie]

"98%: secure is only useful when you're special snowflake and a hacker must spend time figuring out your system. If you're 98% secure and your system is identical to hundreds of others, you will just be caught in a net instead of harpooned.

Come on

[nospam007]

For the last 100 years any idiot could 'hack' the patient file hanging on the foot of the bed with a tool called a 'pen', changing 5 milligrams to 75 or whatever.
Now you need some brains.

Re:Come on

[Fish+(David+Trout)]

For the last 100 years any idiot could 'hack' the patient file hanging on the foot of the bed with a tool called a 'pen', changing 5 milligrams to 75 or whatever.

Quite true, but in order to do that you had to be physically present.

Now you need some brains.

Brains is not the problem.

The fact that you can do such nefarious hacking remotely is the problem. You no longer need to be physically present.

THAT is what is concerning.

Re:Come on

[jomama717]

"Hacking" a hand-written chart requires physical access to the chart, which requires physical access to the hospital room, which means you'll likely be seen by the front desk (who would need to actively let you in), security cameras, nurses, the patient etc. If the networked devices are vulnerable you could modify every chart from the back of a van in the parking lot or, worst case, from your parents' basement.

Re:Come on

[gurps_npc]

Doing so required physical access, which for the last 20 years required exposure to video cameras.

Re:Come on

[swb]

My son was in intensive care at a major children's hospital for a week two years ago. While there was front desk security limiting access to the hospital past the public lobby area, once you were past that point it was trivial to go anywhere, including intensive care.

Intensive care itself had inherent limits on freedom to mess with patients in their rooms, but only because most patients in intensive care had dedicated, 24x7 nursing assigned in room.

The normal patient rooms didn't have any of these limitations, so in theory a paper chart would be quite vulnerable.

And the only reason they have the security guard up front is probably a mix of "think of the children" (for once, where it's kind of appropriate). But primarily because the hospital complex is smack dab in the middle of one of the worst neighborhoods in the city and has kind of a Fort Apache mindset to keep out the undesirables.

Re:Come on

However, for the last 100 years that person had to be in the hospital. Now someone from some country I have never even heard of or anywhere can do it. No mater there motivation, physical presence being required is a layer of security in itself. Your argument that things are better no is ridiculous.

Incoherent summary

What the fuck is the summary author trying to say? I've read more coherent English written by non-English speaking retarded children.

Re:Incoherent summary

They surely had never won a spelling bee with these colossal spelling errors.

How dare you!

Progress!

And also, if we'd fix all those systems we couldn't enjoy ourselves crying "hack" all over the media all over again. Whatever that means. HACK!

The paper says ...

[Ihlosi]

The paper says they didn't hack the patient monitor, only considered such devices as possible attack targets.

Re:The paper says ...

[SlaveToTheGrind]

Where do you see that? Page 36 sure sounds like they did:

On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks , such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm.

Wireless Monitors Commonplace

Most hospitals are now going with wireless monitors in many in-patient wings of a hospital. Emergency rooms still use tethered technology on the patient. This is actually a good thing as it provides patients the freedom to move around and go to the bathroom without waiting for a nurse or unhooking from monitoring equipment. If anyone would actually exploit a wireless device to harm someone in a hospital that is already sick well there's a special place in hell waiting for them.

Morphine Pump

My wife was hooked up to one of those automated morphine pumps for a day. Inside is a little stepper motor that pushes the plunger of a HUGE syringe full of drugs (under lock and key, of course).

That thing sure made me nervous. One software bug and that thing would push out enough morphine to kill an elephant. PLEASE don't hook that thing up to a network for ANY reason.

Re:Morphine Pump

Seems like what you're describing sounds like a class 3 medical device. If that device were hooked up to the network (and that's a big "if"), the FDA would most likely require hardware interlocks on the device to prevent it from killing someone with a morphine overdose.

Dude?

Have you seen the inside of a hospital lately. In my area, the nurses in the hospitals spend an enormous amount of their day standing at mobile workstations, inputting patient information and documenting every little thing. I seriously believe that they are spending upwards of 60% of their time "supposedly" doing data entry. Though, for all I know they could be on Facebook or Slashdot. Regardless, the point is that in the instances that I have observed, they're only spending 40% of their time actually dealing with patients.

The mobile workstations are regular computers connected to a WiFi network, monitors(touch screen), keyboard, mouse, rechargeable battery pack, on a wheeled pole, think giant intravenous bag pole.

Re:Security? Thats for nerds. And Lawyers

[McLae]

When the first lawsuit comes for a patient injury due to poor security, every hospital in the country will do a crash security program! With consultants, expert recommendations, the whole nine yards.

When Security gets added to the Joint Commission reviews, that is when it will stick.

Re:Security? Thats for nerds. And Lawyers

And health care costs will rise again. But guess what? They won't go back down after the security programs are all implemented...

Time to buy BBRY

[ArhcAngel]

As more of these high profile hacks emerge BlackBerry's expertise is suddenly in vogue again. And BlackBerry is actually well positioned to take advantage. I think with Chen at the helm they've got a good shot at taking a lion share of securing medical and IoT.

Re:Time to buy BBRY

[ArhcAngel]

To whomever modded this offtopic you might try actually following the links. Blackberry Healthcare is at the forefront of securing your medical records while expanding your doctor's ability to recall those records on the fly.

Paper records suck

[sjbe]

Um, don't hook them up to the network?

Do we really need to enumerate the reasons that being able to transmit data over a network is helpful?

Have nurses do actual work with written data instead of some need with always being online?

Because doing that is expensive, difficult to share, error prone, inefficient and unnecessary. Paper records only really works for a small office where the paper can easily follow the patient and isn't likely to be needed elsewhere. That is rarely the case these days.

I could be talking out of my ass here but everything doesn't need to be online. Really?

You are talking out your ass. We network many (not all) medical devices because there are real, measurable benefits from doing so, both financial and quality of care. Yes there are problems with doing this but there are bigger problems with not doing it.

Paper records suck to manage

[sjbe]

What, too lazy to use a fucking fax machine?

Great, now you have multiple copies in random locations with no cohesion AND you need extra staff to manage all the extra paper. Congratulations for taking a bad system and making it worse.

What're you going to do when your medical records system loses power and you can't access patient information?

Every hospital has fallback procedures for this exact scenario. These include robust power backup including generators. Furthermore even if there is a complete power loss for a time paper records are not going to make things better, especially in a large hospital. I don't think you comprehend just how hugely inefficient paper records actually are to use. Ironic given that you are posting to a site like slashdot.

That's why every doctor's office I go to keeps a CARBON COPY BACKUP.

No they don't. My wife is a doctor and I've worked in hospital systems. I'm aware of NO medical office that keeps a carbon copy backup of all their paperwork. In fact I've never even seen a piece of carbon paper in a doctors office in the last 20 years.

Re:Paper records suck to manage

[Khyber]

"Great, now you have multiple copies in random locations with no cohesion AND you need extra staff to manage all the extra paper."

Apparently you don't know what the fuck is entailed in a medical records release. Generally, everything is sent, TO MAINTAIN COHESION IN DOCUMENTED PERFORMED MEDICAL PROCEDURES.

No point in trying to reply to the rest of your comment if you can't even make that logical conclusion.

Re: Paper records suck to manage

[sjbe]

Apparently you don't understand medical records exchanges routinely do not include complete records. Even when they do send complete records they are typically required to keep a copy by law of procedures performed so there are multiple non-cohesive copies. Get a clue.

Stupid Headline

[swell]

Why does every word start with a capital letter?
Is it a deliberate attempt to make it unreadable?
WTF does 'popped' mean here?
Do the editors ever read this crap?

Thank you internet of things

[Ol+Olsoc]

This is what you bring us.

Re:Thank you internet of things

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

Re:Thank you internet of things

[Ol+Olsoc]

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

In the end, it isn't. Wordsmith all you like, and do whatever allows you to rationalize that it isn't. but they are things attached to a network, an enjoy all the wonderful side effects that teh connected toaster. After all, that is exactly what the article is about.

Colgnitive dissonance runs strong, but fear not, you can change the truth merely by denying it.

Re:Thank you internet of things

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

In the end, it isn't. Wordsmith all you like, and do whatever allows you to rationalize that it isn't. but they are things attached to a network, an enjoy all the wonderful side effects that teh connected toaster. After all, that is exactly what the article is about.

Colgnitive dissonance runs strong, but fear not, you can change the truth merely by denying it.

Sorry, but I'm accustomed to the term "internet of things" being sort of a pejorative term relating to connecting a bunch of more or less frivolous stuff to the internet. Even something like a wifi thermostat, while offering some legitimate functionality, is still pretty frivolous. If it's not some frivolous connectivity (ex: a heart monitor reporting its vital data to a central health monitoring server), I generally just think of it as "a computer network", not an "internet of things".

Maybe my understanding of the term is incomplete, but that's how I've always seen it used, and that what I think of when I see the term. No cognitive dissonance required. On the other hand, a deep-seated tendency to be an asshole IS required to type up a post in the tone you did.

Re:Thank you internet of things

[Ol+Olsoc]

This has nothing to do with "internet of things", at least no more than a networked file server should be considered "internet of things". These are devices that have a legitimate need to report real time data over a network. It's totally different from a wifi enabled toaster.

The internet of things, is things that are attached to th internet. This might be your toaster, this might ba an X-ray machine, it might be a home heating system, or it might be a wifi enabled insulin pump or internet connected morphine administration unit or a refrigerator or a home surveillance or patient surviellance system, or Mir or CAT scanner or power plant. in short, a "thing" that gets instructions or programming or gives feedback via internal network or the internet.

Sorry, but I'm accustomed to the term "internet of things" being sort of a pejorative term relating to connecting a bunch of more or less frivolous stuff to the internet. Even something like a wifi thermostat, while offering some legitimate functionality, is still pretty frivolous.

Well, I'll try to be as nice as possible, but you are wrong. It's according to the above. The concept is exactly the same. Hospitals are one of the early adopters of the internet of things. We've seen a couple of cases recently where they've been hacked. One of them even paid a ransom to get their computer system back. The hospital cancelled many of it's operations because they were life critical devices that may have been or were compromised.

If it's not some frivolous connectivity (ex: a heart monitor reporting its vital data to a central health monitoring server), I generally just think of it as "a computer network", not an "internet of things".

The industry disagrees with you. https://en.wikipedia.org/wiki/... Medical and healthcare systems are indeed considered part of the internet of things.

Maybe my understanding of the term is incomplete, but that's how I've always seen it used, and that what I think of when I see the term.

The silly stuff is indeed part of it. But it's a part of it. It isn't some definition I made up while trying to hurt your feelings. You are simply wrong.

On the other hand, a deep-seated tendency to be an asshole IS required to type up a post in the tone you did.

I am most simply guilty as charged, No deep seated tendency needed.

But dear coward, my being an asshole does not make me wrong.

easy assassination

[WindBourne]

No doubt, assassination has already occurred via this method. However, because so much of the medical world has no real understanding of security, this has gone undetected.

Best Hacker ever

  Do you require services of a certified and experienced ethical hacker for your
general ethical and specialized Hacks?
+ Contact us at leehacks92@gmail.com,serious enquiries only!