Innocent-looking bedside computer!(photo: c1.staticflickr.com)
Seven years after the Vice President Dick Cheney’s cardiac defibrillator was disconnected from the net to protect him from a wireless attack, hospitals have done little-to-nothing about the security problems in a myriad of medical equipment and devices, according to a recent Wired article by Kim Zetter. Worse, they seem unaware of the risks.
The defibrillator problem resurfaced in a 2012 episode of Homeland, but the thriller-writing community has yet to explore the full horror of this catastrophe in waiting. The problem? All the old familiars: hard-coded passwords, simple easily-guessed passwords, problem notification features that can be turned off, and lack of authentication systems. With equipment networked to provide medical records with test and x-ray results, placing false information in the record is comparatively easy. Even if equipment and devices aren’t themselves connected to the internet, the easily hacked internal systems they are connected to may be externally accessible—and certainly internally accessible if one employee responds to a phishing attack.
Additional examples of potentially lethal equipment hacks include: changes to morphine or other drug dosages delivered to patients via drug infusion pumps; adjustments to temperature settings on refrigerators that store blood and drugs; and alterations in electronic medical records.
It might be difficult to target specific patients with such rogue equipment and documentation changes, at present, but “random attacks causing collateral damage would be fairly easy to pull off,” the article reports. Some devices, unique to an individual, such as the implantable defibrillators, are targetable now.
Medical thrillers using these vulnerabilities as plot devices might do an inadvertent public service by sensitizing hospitals and the public to the risks.
Related articles
