Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 1,400 Vulnerabilities Found In Automated Medical Supply System

Posted by msmash on from the seeking-immediate-attention dept.

An anonymous reader writes: Security researchers have discovered 1,418 vulnerabilities in CareFusion's Pyxis SupplyStation system -- automated cabinets used to dispense medical supplies -- that are still being used in the healthcare and public health sectors in the US and around the world. The vulnerabilities can be exploited remotely by attackers with low skills, and exploits that target these vulnerabilities are publicly available. Things already seem to be getting out hand.

7 of 85 comments (clear)

  1. No surprise by marcansoft · · Score: 4, Insightful

    Medical and healthcare companies consistently seem to have *no idea* whatsoever about security, and *no idea* that they actually need to hire someone who knows security.

    Anything with a computer in it needs to take into account security. If you're putting code into your product and don't know security and aren't hiring someone who does, you're doing it wrong. Medical devices, cars, even Bluetooth toilets. If it communicates with the outside world or is exposed to users who aren't authorized full control over the device, it needs security. If you don't do it, your product is a ticking time bomb waiting for a researcher, if you're lucky, or a malicious attacker, if you aren't, to notice the lack of security. This will keep happening until everyone gets the message.

    1. Re:No surprise by Anonymous Coward · · Score: 3, Interesting

      As someone who has worked on FDA approved medical devices, while the development processes can be a hassle to work with, ultimately they aren't the cause of poor security. What is the cause is that noone is willing to pay for it because a more secure product doesn't cause more checkboxes on the spec sheet to be filled out.

  2. End of Life systems prone to New Attacks= by bigdady92 · · Score: 4, Insightful

    No Shit sherlock.

    Windows XP and Windows 2003 systems are prone to all sorts of horrible security flaws. Reading the Fucking Article I see that the newer, non EOL, equipment isn't prone to any of these problems.

    I wonder how many vulnerabilities are in older Cisco routers that haven't been patched since 2007?

    --
    Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
    1. Re:End of Life systems prone to New Attacks= by aaarrrgggh · · Score: 3, Insightful

      The bulk attacks that are likely enabled by XP/2003 I would agree with you on. However, they are representative of many other problems with brand new Pyxis units from what I hear. The unspoken word seems to be that it is still less vulnerable than the traditional human-centric supply systems. The typical solution is defense in depth, with a key-code door lock to the room and a camera in the room-- so things can be tracked by belt and suspenders in a failure/attack.

    2. Re: End of Life systems prone to New Attacks= by Anonymous Coward · · Score: 3, Informative

      These things sit in the hallways on every floor in my hospital.

  3. War Story on Medical System Security by Salgak1 · · Score: 4, Interesting

    . . . . year or two back, my oldest daughter entered a program to learn the "EPIC" medical records system. Now, admittedly, we're a geekhaus, my daughters were doing computers at age 5, and my youngest managed to hack the oldest by examining her browser cache at age 8.

    But she came back from the first day or two of training, shaking HER head. Not only was there no folder security, but, at least as configured there, every user was an admin.. Each of which could mess with another's files and account settings.

    Worse still, they were being trained at the site where the system was being hosted for production. No physical security. No backup power: in fact, zero redundancy whatsoever. And data backup ? "What's that ?"

    She wrote up a 2-page summary of problems SHE saw (and her training was in Medical Administration, although she DID learn Security from me. . .). She sends it to the POC at the Hospital the system was in the process of being installed for. . . .and the EPIC people dropped her from the course.

    There's a cherry on the top of this Sundae of Fail: she was eventually hired by the Hospital as, surprisingly enough, a Ward Medical Admin. And the IT Department comes to HER for help and suggestions. . . .

  4. Re:This should surprise no one by tnk1 · · Score: 3, Interesting

    I think that's the major issue with medical IT and computing in general. The products are designed to do something, and security is an afterthought. That's made worse because many of the products were designed a long time ago and not updated for various reasons, including a long regulatory approval process to get them to market.

    So you have a supply cabinet that was designed to help with inventory, but now we expect it to be a safe. And the network infrastructure that probably grew ad hoc in the hospitals was just meant to enable interconnection and security only became an eventual concern as attacker capabilities grew. Because the product cycle is so long for medical purposes, they don't react in a timely way to anything, especially something that is not the primary concern of the equipment that is being deployed. So now you have this issue.

    I don't think this is a permanent problem for hospitals, but there will be some sacrificial lambs before the process changes. Once those cases are over, there will be more money put into security at those places.

    Unfortunately, it's just another thing that is likely to raise the cost of medical care because they will continue to be bad at it, but now they'll be trying to compensate for their incompetence by overpaying for security products and services.