As part of a wide-ranging, two-year-long attack, hackers managed to breach the systems of a number of hospitals, exposing critical patient systems to wide-ranging attacks. Luckily, the hacks were just a drill, but the flaws exposed are scary as hell.
In a paper published by Independent Security Evaluators, white-hat penetration testers examined the systems of 12 hospitals, two data centres and some specific medical hardware. Using a variety of classic techniques — dropping infected USB drives next to computer terminals, or just plugging into publicly-accessible ports — the researchers gained control over some critical systems.
Most scarily, they found a way into patient monitors, which they could force to change at will — displaying false alarms or incorrect readings, which could easily lead to fatal treatment being given to patients. The team also found a way into the drug dispensary system, which could give the wrong medication to patients.
The prospect of a hack simply shutting down hospitals is scary enough on its own, but the paper demonstrates a malicious hacker could actively toy with equipment to kill patients.
Equally bad are the flaws that enabled the hack: it’s not one specific problem, but rather a systematic lack of good software and security policy that leave innumerable gaping holes.
Hospital hacking isn’t new, but until we’ve mostly been lucky enough that hackers go after data — there’s not much money to be made (yet) in killing patients. But with hospitals so easy to attack, and the stakes so high, it’s probably just a matter of time.