The new drug abuse: ‘changing the bumpers’ on computerized drug-infusion pumps
As human beings, our connection points to the so-called Internet of Things are still forming and developing and, in some cases, giving rise to security concerns.
We use this Internet of Things (IoT) term to classify everything from:
- So-called ‘wearable’ Fitbit-style health tracker devices
- Internet-connected home heating and/or surveillance systems
- More industrial-level sensors and equipment maintenance networks
But with widespread connectivity comes the potential for widespread risk.
The BBC news network reported an incident this month where a security specialist ‘joked’ a Tweet about hacking the on-board Internet service on a United Airlines flight. Needless to say, the airline (and the FBI) didn’t take it as a joke.
Automated life controls
This personal connection to electronic devices has of course extended to hospital environments and healthcare organizations who are now making use of automated controls for a variety of tasks.
Computerized drug-infusion pumps are on the one hand a life-saving godsend designed to take pressure off of doctors and nurses so that patients get exactly the right doses of medication delivered at exactly the right time. On the other hand they do represent an electronic connection to the network and, logically, they will always represent a risk in much the same way that the airline example showed us.
To allay your fears slightly, there is neither widespread hacking of aircraft passenger web-access systems or drug-infusion pumps at the time of writing, but the potential exists for these vulnerabilities to be exploited and therefore the risks must be aired.
It’s not just simply a question of external hacking though. Computerized systems also require the operative to exercise a degree of authentication against hospital guidelines for drug administration, so the risk factors here are:
A new ‘drug library’ could be uploaded without best practice guidelines being observed.
- An existing ‘drug library’ could be altered by anyone with access to the network.
- Allowable limits for drug administration could be altered by anyone who comes into contact with the ‘drug library’ at any moment in time unless adequate policy access controls are in place.
Changing the bumpers
Dr. Robert Wachter, associate chair of UC San Francisco’s Department of Medicine is quoted this month on the Wired.com website saying that at the outset here, the risk from “changing the bumpers” — the high and low permissible doses — doesn’t seem to be very high.
“It’s probably not going to kill someone today. But in a big institution giving 100,000 medications over the course of a month, screwing around with those bumpers is going to cause harm at some point. That worries me. Anything like this at some point will kill someone,” said Wachter.
The pumps in question in this story are built to intercommunicate using monitoring software build by MedNet Healthcare Technologies. Drug libraries (and their updates) are managed on a Windows-based operating system designed by a company called Hospira that sits on the hospital’s server to send drug library updates to the pumps. Each pump works with a built in communication module designed so that it can receive instructions before it is set to work.
In other words, the number of electronic joins, junctions and connection boxes is not inconsiderable – and this healthcare centric example is widely reflective of the way connected devices pose risks throughout the rest of the business world.
Contact our security experts today to keep your organization and your data safe from the real threats you may face in 2015 and beyond.