{"id":4208,"date":"2016-04-04T11:44:05","date_gmt":"2016-04-04T18:44:05","guid":{"rendered":"http:\/\/codecurmudgeon.com\/wp\/?p=4208"},"modified":"2016-04-04T11:44:05","modified_gmt":"2016-04-04T18:44:05","slug":"hacking-medical-devices","status":"publish","type":"post","link":"https:\/\/codecurmudgeon.com\/wp\/2016\/04\/hacking-medical-devices\/","title":{"rendered":"Hacking: Medical Devices"},"content":{"rendered":"

\"Hospital<\/a>You have control over your own body, right? Well, scary scenarios\u00a0in the healthcare industry are increasing in\u00a0awareness. In the past, with the growth of technology, hacking was just for computers, but now it is expanding to other devices including medical ones. This is not technically \u201ccyber crime\u201d, but can<\/span> easily turn into it when it falls into the wrong hands so I\u2019m going to cover it anyways.<\/p>\n

Internet of Things<\/span> (IoT<\/span>): \u201crefers to scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention. There is, however, no single, universal definition\u201d (Internet Society, 2015).<\/p>\n

The IoT<\/span> is an important aspect in the healthcare industry (recently the term Internet of Healthcare Things IoHT was coined by medical field personnel). Examples include; heart rate monitors, pacemakers, medicine drips, MRI, etc. all that connect to the Internet and record information. As most of us know, objects that are connected to the Internet or have computer-type technology can be hacked<\/a>. One example of this was two men in Austria hacked their morphine\u00a0pump while admitted to the hospital to boost the dosage (Sarvestani, 2014). This resulted in one going into respiratory arrest and both men becoming addicted to morphine (Sarvestani, 2014). They were able to achieve this by retrieving the machine\u2019s control codes online, this information typically can be found in the device manuals that are online for user reference.\"Hospira<\/a><\/p>\n

A more streamlined, dangerous version of the morphine pump hack is what is known as MEDJACK<\/a>. MEDJACK is a \u201cmedical device hijack\u201d (Carman, 2015). How is this done? Don\u2019t these hospitals have firewalls and preventative measures for stuff like this? Yes and no. While the network itself and it\u2019s computers are protected with firewall and other security the devices themselves are not secured. According to Ashley Carman at SC Magazine \u201cattackers maneuver though healthcare systems\u2019 main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices\u201d (2015).<\/p>\n

Another way that this is done is through a tool known as Shodan<\/a> that is \u201cused to scan open ports on the internet is often used by security researchers to uncover critical exposed infrastructure that should be better protected\u201d (Murdock, 2016). According to a Kaspersky researcher in Jason Murdock\u2019s article\u00a0\u201c[Shodan] can<\/span> find out about the hardware and software connected [to the internet] and if you know, for example, what feedback an MRI or laser or cardiology device gives when you connect to its port, you can<\/span> go to Shodan and find hundreds of these devices and if you know a vulnerability<\/span> you can<\/span> hack all of them\u201d (2016).<\/p>\n

\"istan<\/a>Unfortunately, it gets worse. Pacemakers, including ones that are fully installed, are now on the list of hackable equipment. Students at University of South Alabama hacked into iStan, a simulated human being device (Storm, 2015). IStan has\u00a0\u201cinternal robotics that mimic human cardiovascular, respiratory and neurological systems. When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically.\u201d iStan, which is used by USA\u2019s College of Nursing, breaths, bleeds from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gags, gasps, coughs and mumbles\u201d (Storm, 2015) allowing it to fully respond as a human being. These students hacked into the iStan and were able to launch a brute force attack and denial of service (DoS<\/span>) attacks which interfered with the devices ability to function, which in turn \u201ckilled\u201d iStan (Storm, 2015). Another source discussing pacemaker hacking is Tarun Wadhwa on Forbes. Wadhwa discussed how pacemakers are vulnerable:<\/p>\n

\u201cImplanted devices have been around for decades, but only in the last few years have these devices become virtually accessible.\u00a0 While they allow for doctors to collect valuable data, many of these devices\u00a0were distributed<\/a>\u00a0without any type of encryption or defensive mechanisms in place.\u00a0 Unlike a regular electronic device that can<\/span> be loaded with new firmware, medical devices are embedded inside the body and require surgery for \u201cfull\u201d updates.\u00a0 One of the greatest constraints to adding additional security features is the very limited amount of battery power available\u201d (2012)<\/p><\/blockquote>\n

Thankfully though, there has been no recorded incident of intended harm to another individual (and a very small amount of incidents of harm to oneself) through medical device hacking. The basics? If you can<\/span>, do some research into the devices being used in your hospital room to see what vulnerabilities are available on the web (through how-to\u2019s, videos, device manuals, etc.) and if at all possible, stay healthy to avoid the hospital- I wish this for everyone!<\/p>\n

(THIS POST IS NOT INTENDED TO INDUCE FEAR, ANGER, OR ANY OTHER EMOTION TOWARDS MEDICAL PERSONNEL, STAFF, HOSPITALS, IT STAFF, EQUIPMENT DEVELOPMENT, OR OTHER GROUP OF INDIVIDUALS HANDLING, PRODUCING, USING, UPDATING, OR INVOLVED IN MEDICAL DEVICES)<\/em><\/h5>\n

[Editors note: Maybe it SHOULD though… induce fear that is. -The Code Curmudgeon]<\/p>\n

References:<\/h2>\n

Carman, A. (2014, June 4). \u2018MEDJACK\u2019 tactic allows cyber criminals to enter healthcare networks undetected.\u00a0SC Magazine.\u00a0<\/em>Retrieved from\u00a0http:\/\/www.scmagazine.com\/trapx-profiles-medjack-threat\/article\/418811\/<\/a><\/p>\n

Internet Society. (2015, October). The Internet of Things<\/span>: An overview.\u00a0InternetSociety.org.\u00a0<\/em>Retrieved from\u00a0https:\/\/www.internetsociety.org\/sites\/default\/files\/ISOC-IoT-Overview-20151014_0.pdf<\/a><\/p>\n

Murdock, J. (2016, February 15). How a security researcher easily hacked a hospital and its medical devices.\u00a0International Business Times.\u00a0<\/em>Retrieved from\u00a0http:\/\/www.ibtimes.co.uk\/ho w-security-researcher-easily-hacked-hospital-its-medical-devices-1544002<\/a><\/p>\n

Sarvestani, A. (2014, August 15). Hospital patient hacks his own morphine pump.\u00a0MassDevice.com On Call.\u00a0<\/em>Retrieved from\u00a0http:\/\/www.massdevice.com\/hospital-patient-hacks-his-own-morphine-pump-massdevicecom-call\/<\/a><\/p>\n

Storm, D. (2015, September 8). Researchers hack a pacemaker, kill a man(nequin).\u00a0Computer World.\u00a0<\/em>Retrieved from\u00a0http:\/\/www.computerworld.com\/article\/2981527\/cybercri me-hacking\/researchers-hack-a-pacemaker-kill-a-man-nequin.html<\/a><\/p>\n

Wadhwa, T. (2012, December 6). Yes, you can<\/span> hack a pacemaker (and other medical devices too).\u00a0Forbes.\u00a0<\/em>Retrieved from\u00a0http:\/\/www.forbes.com\/sites\/singularity\/2012\/12\/06\/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too\/#5ab6b78313e0<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

You have control over your own body, right? Well, scary scenarios\u00a0in the healthcare industry are increasing in\u00a0awareness. In the past, with the growth of technology, hacking was just for computers, but now it is expanding to other devices including medical ones. This is not technically \u201ccyber crime\u201d, but can easily turn into it when it […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[158,4],"tags":[131,123,157,25,156,137],"class_list":["post-4208","post","type-post","status-publish","format-standard","hentry","category-medical","category-security","tag-appsec","tag-cybersecurity","tag-fda","tag-hacking","tag-medical","tag-security"],"_links":{"self":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/4208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/comments?post=4208"}],"version-history":[{"count":13,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/4208\/revisions"}],"predecessor-version":[{"id":4226,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/4208\/revisions\/4226"}],"wp:attachment":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/media?parent=4208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/categories?post=4208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/tags?post=4208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}