As the Internet of Things (IoT) penetrates healthcare at a fast clip, concern is mounting across the health IT world about the security vulnerabilities of connected devices such as hospital infusion pumps.
“White hat” hackers have already completed relatively easy attacks on IoT-enabled medical devices. A particularly chilling real-time attack on a morphine-delivering hospital pump, seen in this video, was performed by white hat hacker Graham Murphy at the BlackBerry Security Summit in New York on July 23.
Murphy, a security researcher for BlackBerry Ltd., the famous onetime smartphone leader that has in recent years morphed into an enterprise security company, and BlackBerry Chief Security Officer David Kleidermacher, showed a live audience quite clearly how it was done.
Of course, the pump wasn’t loaded with real morphine, but rather a dark liquid meant to represent the powerful painkiller, which can be fatal in large doses.
Murphy, standing next to the pump and a technician, and armed with a laptop, simply connected the laptop to the Ethernet port on the pump and located the device’s IP address.
Once inside the unencrypted device, Murphy quickly found its wireless login information password, meaning he could have been controlling the pump from elsewhere in the hypothetical healthcare system network.
He then just as quickly installed his own malware, took over the pump and upped the “morphine” dose. A lot of the dark liquid started dripping out, when before Murphy attacked, the machine was only delivering a drop.
“You kill[ed] the patient,” Kleidermacher exclaimed. “Not only can Graham affect the health of the patient connected to the pump, he now user his powerful computer to explore the rest of the care network and possibly take over other parts of the network and possibly affect the health of all of the patients in the hospital.”
As for Murphy, he said the device is so unprotected without encryption, authentication or even a secure password that the hacker’s work is easy.
“You find a way in, you poke around,” he said.
His laptop, he said, “becomes the attack system.”
The two BlackBerry employees emphasized they did the hack to educate the public about the vulnerability of IoT devices in healthcare and the importance of taking strong security measures, not to encourage hackers.
Most likely, malicious, criminal or state-sponsored hackers already know how to do it anyway.