Security Testers Managed to Hack Hospital Patient Monitors and Drug Dispensers

Illustration for article titled Security Testers Managed to Hack Hospital Patient Monitors and Drug Dispensers

As part of a wide-ranging, two-year-long attack, hackers managed to breach the systems of a number of hospitals, exposing critical patient systems to wide-ranging attacks. Luckily, the hacks were just a drill, but the flaws exposed are scary as hell.


In a paper published by Independent Security Evaluators, white-hat penetration testers examined the systems of 12 hospitals, two data centers, and some specific medical hardware. Using a variety of classic techniques—dropping infected USB drives next to computer terminals, or just plugging into publicly-accessible ports—the researchers gained control over some critical systems.

Most scarily, they found a way into patient monitors, which they could force to change at will—displaying false alarms or incorrect readings, which could easily lead to fatal treatment being given to patients. The team also found a way into the drug dispensary system, which could give the wrong medication to patients.

The prospect of a hack simply shutting down hospitals is scary enough on its own, but the paper demonstrates a malicious hacker could actively toy with equipment to kill patients.

Equally bad are the flaws that enabled the hack: it’s not one specific problem, but rather a systematic lack of good software and security policy that leave innumerable gaping holes.

Hospital hacking isn’t new, but until we’ve mostly been lucky enough that hackers go after data—there’s not much money to be made (yet) in killing patients. But with hospitals so easy to attack, and the stakes so high, it’s probably just a matter of time.

[Security Evaluators via The Register]




One thing I’d like to call out from their article: they note that they are working on a proof of concept to make a medication dispensing system dispense the wrong medication. I presume they’re just changing the location and value for where a specific type of medication is (eg, pill X is in pocket 3 instead of pocket 1).

If a facility is using “bedside medication verification”, this attack gets partially mitigated in that yes, the pharmacy system spit out pill Y instead of pill X, but when it’s barcode scanned at the bedside, the computer will say “wrong pill, do not administer”, which, in a competent facility, will prompt the nurse to stop the line and call Pharmacy to verify...

I think the worse thing that could happen is injecting HL7 transaction messages into various systems. HL7 is the message standard systems typically use to exchange data between them and contains things like orders, results, admission data, and so on. If one wanted to be evil, they could flood an ancillary system with extraneous messages and cause a DoS attack on that system. Even as few as 100 messages could cause an impact to a department (eg, 100 new XRay orders piling up on a radiologist technician’s worklist, or the lab having a couple hundred specimen labels suddenly print out with orders to collect them).

You could craft HL7 messages to administer additional medications to a patient, but again, the BMV scan will fail because the patient didn’t have that med in their order history in the EMR, which is its own system and doesn’t take pharmacy orders inbound. ;)