As part of a wide-ranging, two-year-long attack, hackers managed to breach the systems of a number of hospitals, exposing critical patient systems to wide-ranging attacks. Luckily, the hacks were just a drill, but the flaws exposed are scary as hell.
In a paper published by Independent Security Evaluators, white-hat penetration testers examined the systems of 12 hospitals, two data centers, and some specific medical hardware. Using a variety of classic techniques—dropping infected USB drives next to computer terminals, or just plugging into publicly-accessible ports—the researchers gained control over some critical systems.
Most scarily, they found a way into patient monitors, which they could force to change at will—displaying false alarms or incorrect readings, which could easily lead to fatal treatment being given to patients. The team also found a way into the drug dispensary system, which could give the wrong medication to patients.
The prospect of a hack simply shutting down hospitals is scary enough on its own, but the paper demonstrates a malicious hacker could actively toy with equipment to kill patients.
Equally bad are the flaws that enabled the hack: it’s not one specific problem, but rather a systematic lack of good software and security policy that leave innumerable gaping holes.
Hospital hacking isn’t new, but until we’ve mostly been lucky enough that hackers go after data—there’s not much money to be made (yet) in killing patients. But with hospitals so easy to attack, and the stakes so high, it’s probably just a matter of time.