Story image

Warnings issued: ‘Hackable’ hospital syringes could be fatal

13 Sep 2017

Many worst fears have been realised after news emerged that specific automated syringes within hospitals are ‘hackable’.

Independent researcher Scott Gayou determined not one but eight vulnerabilities within Smiths Medical’s Medfusion 4000 wireless Syringe Infusion Pump.

What does this mean exactly? The MedFusion 4000 is a popular product that is used commonly on critical care, pediatric, and neonatal patients.

The device is a replacement for manual dosing and is regarded as a ‘safer’ option as it ensures patients get the precise dose required because anything else could be fatal – for example, in newborns.

The report from Scott Gayou was released by the Department of Homeland Security and comes with very specific warnings.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump,” the report states.

“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

Essentially, a skilled hacker could take advantage of the security flaw within the device from anywhere in the world and take over and control it.

The company plans to fix the security flaw and release a new version in 2018, but until then, hospitals have been warned.

Director of Government Relations at McAfee, Gordon Morrison says cybercrime is building as we progress further with the Internet.

“IT and security professionals in healthcare organisations are facing unprecedented pressure – from an increase in demand and complexity of services, to the threat of legacy IT and a number of new compliance issues like GDPR and the Information governance toolkit,” says Morrison.

“Alongside these challenges, hospitals are going through immense digital transformation, with new connected medical devices being introduced to improve the doctor and patient experience.”

Morrison asserts that despite the massive potential of the healthcare Internet of Things, it’s a double-edged sword as many of these devices are prone to hacking, which is putting both hospital networks and the patients themselves at risk.

“It is essential to ensure these devices are not introduced at the expense of the safety of the patient and their data,” says Morrison.

“Achieving this will be twofold: ensuring that the devices are built securely by design and with the necessary security controls in place; as well as a security policy for connected devices in hospitals, to ensure that they can’t access sensitive data and are regularly patched against newly-discovered vulnerabilities.”

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.