Well, gone are the days when you just had to worry about your computer getting hacked! We are at a point now with our technology that any type of device that is smart enough to boot up and connect and talk to a network or the Internet is really up for grabs. And it looks as if researchers have found security vulnerabilities in certain medical infusion pumps. These pumps are common medical device used in hospital wards and ICUs, automatically dispensing a drug directly to a patient over time. Infusion pumps can deliver insulin, painkillers or other medicines that require intermittent or continuous dosing. An interesting thing to note here is how innocent looking the device is – it looks like a stand that simply distributes power and connection to the docking pumps, however turns out it plays quite a critical role and runs a scaled down type operating system or they sometimes call firmware.
WHAT IS MAKING THEM VUNERABLE TO HACKING?
These infusion pumps are essentially little micro computers running a miniature operating system or what they call firmware; which is essentially a software program telling the hardware what to do. AND, if the company who designed the software or firmware disappears or gets absorbed by another company (much like this most recent infusion pump story) then that software does not get updated on a regular basis, making it vulnerable to hacking. And if you go 15 years without updates, it then becomes a nightmare to fix and update.
WHY ARE THESE INFUSION PUMPS SO HARD TO UPDATE OR FIND A FIX?
Often the update mechanism is almost nonexistent or it’s such an analog process. You almost need to connect each and every one of them and manually provide an update. Also, each brand might have different types of firmware designed by different companies and so It’s not something that can be done at a massive scale. Unfortunately, you can’t push out an update over the network or Internet much like you see with your phone, tablet or computer. This lack of standardization mainly then makes it almost impossible to develop a one-size-fits-all security patch if those modules turn out to contain vulnerabilities. Unlike other critical IT assets, connected medical devices are hardly visible in their native IT control systems. Many times the IT teams often cannot even tell how many medical devices are connected, their type, and they lack critical insight of the devices cybersecurity risk status, threats and vulnerabilities. Even more shocking, most hospitals lack the visibility to whether medical devices have been hacked.
WHAT THINGS COULD A HACKER DO?
So the ramification of this vulnerability could be profound. Most concerning is that fact that a hacker can gain access to these devices alter infusion rate or completely stop a pump mid-session. An attacker could, in other words, cause a patient to get far too much or too little of a medication, with a potentially lethal outcomes.
WHATS THE BOTTOM LINE?
It’s a mess and it illustrates the problem of unmanaged embedded IOT (Internet of Things) devices. Its really the tip of the iceberg when it comes to managing the security of embedded smart devices. I keep going back to that old adage: “With great power comes great responsibility”. And its looks as if many of these devices go unpatched and updated creating massive security holes. So, for many people who may never use an infusion pump, if you have any type of smart device that has a connection, either wired or wireless to a network or the Internet (like a TV, game console, watch, washing machine, a car, or a toaster even, and it is not nagging you to update, you might want to find out how to update it. The longer you leave a smart device without an update the greater chance you have of getting compromised.