Story image

Warnings issued: ‘Hackable’ hospital syringes could be fatal

13 Sep 2017

Many worst fears have been realised after news emerged that specific automated syringes within hospitals are ‘hackable’.

Independent researcher Scott Gayou determined not one but eight vulnerabilities within Smiths Medical’s Medfusion 4000 wireless Syringe Infusion Pump.

What does this mean exactly? The MedFusion 4000 is a popular product that is used commonly on critical care, pediatric, and neonatal patients.

The device is a replacement for manual dosing and is regarded as a ‘safer’ option as it ensures patients get the precise dose required because anything else could be fatal – for example, in newborns.

The report from Scott Gayou was released by the Department of Homeland Security and comes with very specific warnings.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump,” the report states.

“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

Essentially, a skilled hacker could take advantage of the security flaw within the device from anywhere in the world and take over and control it.

The company plans to fix the security flaw and release a new version in 2018, but until then, hospitals have been warned.

Director of Government Relations at McAfee, Gordon Morrison says cybercrime is building as we progress further with the Internet.

“IT and security professionals in healthcare organisations are facing unprecedented pressure – from an increase in demand and complexity of services, to the threat of legacy IT and a number of new compliance issues like GDPR and the Information governance toolkit,” says Morrison.

“Alongside these challenges, hospitals are going through immense digital transformation, with new connected medical devices being introduced to improve the doctor and patient experience.”

Morrison asserts that despite the massive potential of the healthcare Internet of Things, it’s a double-edged sword as many of these devices are prone to hacking, which is putting both hospital networks and the patients themselves at risk.

“It is essential to ensure these devices are not introduced at the expense of the safety of the patient and their data,” says Morrison.

“Achieving this will be twofold: ensuring that the devices are built securely by design and with the necessary security controls in place; as well as a security policy for connected devices in hospitals, to ensure that they can’t access sensitive data and are regularly patched against newly-discovered vulnerabilities.”

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.