Other issues in this category (35)
A penetrating wound
Monday, December 3, 2018
Can a medication be compromised? It turns out that it can.
You can try doing this interesting thing: search the MAUDE database by the keywords "computer virus". The results will include all the reports generated by clinics and medical equipment manufacturers. Stories about compounders are the most interesting reads. We have one such device in our lab. They are somewhat hard to procure. Compounders produce liquid medicines. Sixteen funnels are mounted at the top of a compounder and serums are channelled through them. What comes out will be the necessary solution in an IV bag from which it can be delivered into a patient's vein. Many clinics use the devices to create medicinal cocktails. And so, MAUDE published a report indicating that one of the compounders was infected with a virus.
We already mentioned that computers in medical facilities have had serious security issues. But until now we never discussed at length how attackers can take advantage of the issues to attack a specific individual who uses implants.
Because loopholes are everywhere, medical equipment has them too. Let's take the buffer overflow as an example—hackers often take advantage of it to mount attacks on ordinary PCs.
The FDA maintains a database of information about near misses, malfunctions, injuries and lethal incidents. This information is available to the general public as the MAUDE (Manufacturer and User Facility Device Experience) database.
A volumetric infusion pump introduces medicines into patients' bodies through an IV mechanically. In this case, the patient died—the buffer overflow was one cause of the tragedy.
The buffer overflow was caught during error checking, but the action it took was to shut the pump down, to bring it down to a safe mode. What they didn't realise was that for some patients shutting the pump down was basically a death sentence. So the patient died after an increase in intercranial pressure, followed by brain death because of the buffer overflow.
The pump was reprogrammed incorrectly so that a bolus was given in 20 minutes instead of 20 hours.
But how can attackers gain access to medical implants?
This can be done using traditional methods:
Someone compromised their site, so instead of sending a hospital respirator firmware upgrade to me, they were going to serve me with malware.
But there is another way too. For example, this is how an implanted defibrillator is designed:
You have microcontrollers at the top, and typically, some antennas are in it that facilitate communication with the device that controls the defibrillator.
First, let's make sure that the right target has been picked for the attack:
This is a screenshot of the communication between a device and a programmer. And we can see that, first of all, it's in the clear: there is no cryptography, at least none that we could find.
You'll find inside here the name of the implanting physician, the diagnosis, the hospital—basically it’s a complete electronic health record.
And now here’s the killing blow:
We took an antenna from a pacemaker we didn't need, created a little antenna and recorded the RF communication, inducing a fatal heart rhythm, and then we replayed that communication back. And then the device happily emitted a large shock—something on the order of 500 volts, which is about 32 joules in one millisecond, which, I'm told, is kind of like being kicked in the chest by a horse.
The good news is that these devices have been able to solve the problem through some software updates.
The wire connecting a microphone to the amplifier has a certain length and its own resonant frequency. So let's assume that someone generates electromagnetic interference matching the wire's resonant frequency. What’s going to happen? The amplified signal will be sent to the amplifier where it will be boosted further. Then it will be relayed to the analogue-to-digital converter and forwarded to the processor.
Now if we apply the Fourier transform to heart rhythms, we'll find that typical heart beat signals fall within the range of 100 Hz, and only some of them have higher frequencies. That's why most devices of this kind filter out signals whose frequencies are below or above that range.
But if someone is going to deliberately generate electromagnetic interference within the base frequency range, it will bypass all the filters.
And how are hospitals doing in terms of software vulnerabilities?
The screenshot shows how many computers in hospitals are stuck with Windows XP, whose support was dropped by its developer a long time ago. You can see that many of them don't even have any service packs installed.
USB sticks are the most common carriers of malware infections in hospitals.
In clinical systems, the average time to infection is about twelve days, during which time they have no anti-malware protection of any kind. They can get almost up to a year if they are able to get an anti-virus product down there, but even that is not perfect.
The Anti-virus Times recommends
Dr.Web is at a loss and has no recommendations whatsoever and can only wish you all good health.