Remember in late July when the Food and Drug Administration issued an advisory warning of security flaws in Hospira’s Symbiq smart infusion pumps?
That warning, which was not a mandatory recall or an order to stop using Symbiq pumps, apparently was a long time in the making.
This is chronicled in “Hacking Healthcare,” the cover story in the Nov. 16 issue of Bloomberg Businessweek, which hits newsstands Friday. But infusion pumps are just the tip of the iceberg when it comes to the security of connected medical devices.
The story chronicles the work of a “white hat” hacker, Billy Rios, who was invited with about a dozen others to pick apart the Mayo Clinic’s network in 2013.
Like the printers, copiers and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions.
They were remarkably successful in breaking into just about everything. Mayo changed many of its security protocols, the story said, but thousands of other hospitals face the same vulnerabilities.
Rios went home and bought a used Symbiq pump online, picking that model only because it was available on eBay for about $100. He’s since acquired lots more medical equipment and hacked most of it.
Some of the flaws were so serious that Rios reported them to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, as well as to the FDA. He found the response lacking.
“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’?” Rios told the magazine.
Hospira denied that the problem was as bad as Rios believes, just as the company, now a part of Pfizer, did after a BlackBerry security expert hacked another Hospira infusion pump live on stage in August.
Some care providers have pushed back as well because new security measures might get in the way of care. It’s hard to scan a fingerprint to open a medication cabinet while wearing gloves to prevent contamination, for example.