
It’s Easy to Hack Hospital Equipment - ghosh
http://www.wired.com/2014/04/hospital-equipment-vulnerable/
======
mentalhealth
_“Many hospitals are unaware of the high risk associated with these devices,”_

I assure you that while this is the hospital's official stance, many people
within the hospital are well aware of the shoddy software on their medical
devices and the risks they pose. There are so many opportunities for
disruption of every aspect of the healthcare system (from the equipment
itself, that this article addresses, to the electronic medical records
systems, to more structural aspects of the healthcare system as a whole), but
literally none of the incentives for practitioners and hospital administrators
are properly aligned to make it possible. I'd love to work with a company
trying to break into these markets if they had a plausible route to entry.

~~~
baldfat
TL&DR Regulations need to require interoperability and cross-platform with
medical records and images.

As a "Cancer Dad" the electronic medical records and images that are closed
and inaccessible between my local hospital where we got our chemotherapy and
the Children's Hospital where we did our major surgeries was mind blowingly
crazy.

I had to drive my bone cancer child 2.5 hours to use their equipment because
there was an issue with the image file format. So I had to give my child
enough pain killers to knock out a grown adult just so we could get the same
pictures we could get 5 miles down the road.

~~~
commandar
As somebody working in healthcare integration, this may be small consolation,
but it that's getting better.

The HITECH act[1] (which was part of the stimulus package in 2009) has gone a
long way in getting the industry moving. One of the core deadlines we're
scrambling to meet at the moment at my hospital is actually data interchange
between facilities, including a portal that allows patients to access their
records for themselves.

I realize that doesn't help your situation now, but with Medicare penalties
looming for _not_ getting that sort of exchange in place, things are starting
to happen quickly in an industry that tends to move at a snail's pace.

[http://en.wikipedia.org/wiki/HITECH_Act#Electronic_Health_Re...](http://en.wikipedia.org/wiki/HITECH_Act#Electronic_Health_Records_.28EHR.29)

~~~
HillRat
Out of curiosity, which HL7 CDAs (and which levels) do you support, and how
much lift is it to set up import/export for a new provider or institution?

I'm pessimistic that we'll be able to achieve true level 3 interoperability,
even though the basic ontologies (e.g., SNOMED, LOINC, etc) are in place. I'd
love to hear that you're having a good experience, though.

~~~
commandar
Honestly, that end of things is kind of out of my element; I'm mostly involved
in the message plumbing side of things.

Our actual HIE integration has been contracted out to Relay Health/McKesson.
They're promising the world, but we're not far enough along for me to say
whether they'll actually deliver at this point.

------
hessenwolf
To be a dash risk managementy about it;

(Risk of being hacked) x (severity of being hacked) << (Risk of software not
delivered) x (severity of not delivered).

(Risk of being hacked): Small.

(Severity of being hacked): Very negative, but localised most likely to a
single machine, set of machines, or hospital.

(Risk of Software not Delivered): Pretty high if we go super-security. We are
on a budget. There is competition. Who is paying for it?

(Severity of not delivered): Failure to cure at every hospital for every
machine.

So, yes, there is a cost, but the benefit of ignoring security, for some sets
of numbers on the above, could conceivably exceed it.

~~~
bhartzer
What are the chances that someone would actually doing the hacking? I don't
see any monetary reason to do so. Maybe that's one reason why we haven't seen
many reports of people hacking medical devices?

~~~
kamkazemoose
It could be done as a murder for hire, or as a terrorist event. It's possible
some hackers would do it 'for the lulz' or maybe they just want to test out a
hack and accidentally go to far, though these are more unlikely. And there is
also extortion, maybe you find everyone that has a vulnerable pacemaker, and
demand they pay you or else you stop their heart. Criminals are clever, if
they find a way to attack people they can often exploit it.

~~~
bhartzer
I know they can do it, but how many times has it been tried or actually
reportedly been done?

------
Robin_Message
_They also found surgery robots connected to internal networks. Although the
robots generally have software firewalls to block connections to them, Erven
and his team found that simply running an off-the-shelf vulnerability scanner
against the firewall caused it to turn off and fail open._

Wow, just wow.

If someone ever hacks an active surgery robot it's going to be _Saw_ meets
_Snow Crash_ , and not in a good way.

~~~
FLUX-YOU
And with some hospitals still running Win XP, it's easy to get a foothold on
their network!

~~~
bcostlow
I'm working in that space, and sampling from the ones I've dealt with, I'd
replace some with most.

Some of the ones I deal with are also running those XPs with old IE versions,
6 & 7\. This is because they bought, then never upgraded, systems that won't
run right with newer browsers.

------
anigbrowl
_Although vendors often tell customers they can’t remove hard coded passwords
from their devices or take other steps to secure their systems because it
would require them to take the systems back to the FDA for approval afterward,
Erven points out that the FDA guidelines for medical equipment includes a
cybersecurity clause that allows a post-market device to be patched without
requiring recertification by the FDA._

These are the same people that have been complaining about how awful it is
that the Affordable Care Act imposes a medical device tax. Maybe if they
weren't so cavalier about deceiving their customers regulation and
certification wouldn't cost as much as it does.

~~~
EpicEng
I think you have to always assume that people can't be trusted to do the right
thing when it comes to lives of others. The FDA has to employ policies which
gives us a reasonable confidence that a vendor's device/test/whatever is safe
and effective.

Disclaimer: I have worked on FDA cleared medical devices my entire career.

~~~
dllthomas
I think most of the time you _can_ trust people to do the right thing when it
comes to the lives of others, _when_ the right thing is sufficiently clear,
_when_ the fact that it involves the lives of others is sufficiently salient,
and _when_ there are not enormous incentives to do otherwise.

~~~
EpicEng
I'm not sure you took my meaning. Even if what you say is true, a regulating
body must view everyone with skepticism. They have to walk into an
audit/filing review with a "prove it to me" attitude else risk doing real harm
to people.

~~~
dllthomas
I don't know that that's wrong. The two views are certainly compatible.

------
Cthulhu_
The thing with equipment like this is that security isn't a priority; "who
would hack medical equipment?". A lack of high-profile cases where medical
equipment was actively hacked is also not giving any incentive to fix these
issues.

Worst case, these exploits will suddenly be used to disable or cripple
hospitals in case of dirty wars and terrorist campaigns. If the latter is
still a problem.

~~~
forgottenpass
Your comment is a few years out of date. The FDA has recently started caring,
and there are high-enough profile cases to be on the industry's radar.

It'll continue to be a mess for years to come, the introduction of new medical
hardware and software is slow and I don't know how they plan to handle already
deployed items. But not exactly for the reasons you state.

------
bane
In general the security on the equipment is because hideously high acquisition
costs keeping most hobbyists out of fooling around with it. And most places
with the equipment won't let somebody sit there and fool around with it. It's
not quite security through obscurity, but more like security through expense.

~~~
mbesto
I'm pretty sure this has less to do with high acquisition costs and more to do
with the fact that you can basically kill someone if you start tinkering with
hospital equipment.

------
ossama
Scary, but this isn't surprising at all. What the hardware does in these cases
is more important than the software that runs it. Couple that with devices
that sell in relatively small quantities for high cost, and you get
undertested, unstressed software.

------
gaurav_godhwani
This is a serious concern, Government and NGOs should come together for
ensuring proper security of hospital and healthcare systems and software.
Also, any kind of data breach can result into national level threats.

------
kijin
How many of these devices are still running Windows XP?

Weak default passwords on the web interface is just the icing on the cake, the
low-hanging fruit. The entire networking stack is likely to be riddled with
unpatched vulnerabilities for anyone to exploit.

Relative obscurity and physical security are probably the only things that
stand between hospital equipment and certain disaster.

~~~
FLUX-YOU
>Relative obscurity and physical security are probably the only things that
stand between hospital equipment and certain disaster.

Even then, you can pop on a pair of scrubs and avoid most scrutiny. Keycard
systems are there, but those aren't difficult. Sometimes the operating area
doesn't have cameras and the area surrounding the 2 million dollar daVinci
machines are deserted.

~~~
commandar
>Even then, you can pop on a pair of scrubs and avoid most scrutiny. Keycard
systems are there, but those aren't difficult. Sometimes the operating area
doesn't have cameras and the area surrounding the 2 million dollar daVinci
machines are deserted.

I can confirm this.

I can also confirm that those daVinci machines are way less impressive looking
in person than they are plastered on roadside billboards. :)

------
yitchelle
This kind of problems is going to be more prominent as "Internet of Things"
starts to take off. I was rather concern about Nest, our cars, Fridges etc
being connected to the Internet and, on some devices, the security is quite
low. This article is shows an example of it.

~~~
commandar
This is one of the reasons why, as a rule, biomed devices that directly
interact with a patient are never connected to the public internet.

~~~
TheLoneWolfling
Which works until one of the devices networked with said biomed device uses a
wireless link and someone brings in a cell phone.

Airgaps are _really_ hard to do correctly, as they have so many single points
of failure.

------
hhsnopek
I've been going to my local Defcon group for almost 2 years, and this isn't
the first time this has been discovered. It's insane what could be done with
the old tech in hospitals.

------
jacquesm
There is much lower hanging fruit (scada systems).

[http://en.wikipedia.org/wiki/SCADA](http://en.wikipedia.org/wiki/SCADA)

I've seen a couple that used unencrypted UDP with bitfields representing the
state of solenoids. Imagine what sending a series of all '1' and all '0'
packets would do in terms of damage and panic.

------
nnnnni
Definitely not a surprise. I once had to hack a piece of medical equipment in
order to make it print to a printer that was manufactured within the previous
decade. The only one that it "officially supported" was from about 15 years
before that day. The OS version (patches/updates included) was also that old.

------
snake_plissken
Why does some of this stuff need be connected to a network? How often does a
surgery robot need an OTA update?

------
akama
I was actually at the conference talk this guy gave about the subject last
week and was talking to him about it the night before. If anyone has questions
I can attempt to answer them.

Also interesting to think about is if these devices are getting hacking and
people are blaming it on malfunctions.

------
scrabble
In a recent hospital visit I noticed that the equipment in the room I was in
had bluetooth connectivity enabled. And in fact had all the details you needed
to connect to them via bluetooth taped to the sides of the machines. That made
me a little worried.

------
peterfisher
I guess no one listens to unencrypted pager traffic?

------
shmageggy
Why was the title changed _away_ from the original? This is getting too
confusing.

It used to read like the actual title: "It’s Insanely Easy to Hack Hospital
Equipment"

~~~
kijin
Calm down, they just removed an adverb whose only function was to exaggerate.

~~~
ASneakyFox
What's the point of rules if you don't follow them? So what if some one feels
"insanely" exagerates it. Its the journalists opinion that it is insanely
easy. That should be the title. I don't care if an hn moderator feels it is
insanely easy or just easy to hack a hospital.

IF he has an opinion on the difficulty to hack topic there is a comment
section. The op is not a comment section for mods

~~~
pbhjpbhj
Hear, hear!

