Can Your Hospital Be Hacked?

RxQuick answer:  Yes it can!  A recent article in Bloomberg goes deeply into this subject, and reveals the experiences of a white hat hacker named Billy Rios.  Billy and many others in the profession had been hired by the Mayo Clinic in Rochester Minnesota in 2013 to try to hack all the medical devices in the hospital that were connected to the network.  These days, this is just about everything, from infusion pumps, to heart monitors, to MRI and ultrasound equipment.

The outcome was rather bleak, almost all of these machines were taken easily.  The issue of course is that someone could theoretically take control of something like an infusion pump that is delivering pain medication such as morphine, and increase the dosage to kill the patient.  What we know of course is that this years outlandish fantasy is next years successful exploit.

When Billy ran this issue up the flagpole at the Department of Homeland Security and the Food and Drug Administration, of course he was met with disinterest.

But this is just an extension of the problems we are all facing in the Internet of Things world we are creating.  Most of these cute and handy devices have little if any security baked into them, and can be taken over for malicious purposes, or simply hijacked to be used in a worldwide botnet.  We need to insist that these devices are secure out of the box.  At this point in time, this is not likely to be the case.  I suppose someone is going to push for government regulation, but the Bloomberg article revealed just how well that was going to work.  What needs to happen is for manufacturers to step up to the plate and make these devices secure from the get-go.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.