In hospitals increasingly composed of the Internet of Things, how secure are the ‘things’?

In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.

[…]

“There are very few [devices] that are truly firewalled off from the rest of the organization,” he says. “Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”

Probably even easier now, given the recent revelation of a big Internet Explorer exploit.

They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.

So, while these infusion pumps are under physical lock-and-key in the patient’s room, they remain unlocked through their web portals?

And the most damning revelation:

“The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the [Federal Drug Administration],” Erven notes. “There’s no security assessment before it goes to market.”

(h/t Kevin Wang)