The Anti-virus Times

You can try doing this interesting thing: search the MAUDE database by the keywords "computer virus". The results will include all the reports generated by clinics and medical equipment manufacturers. Stories about compounders are the most interesting reads. We have one such device in our lab. They are somewhat hard to procure. Compounders produce liquid medicines. Sixteen funnels are mounted at the top of a compounder and serums are channelled through them. What comes out will be the necessary solution in an IV bag from which it can be delivered into a patient's vein. Many clinics use the devices to create medicinal cocktails. And so, MAUDE published a report indicating that one of the compounders was infected with a virus.

Source

The FDA maintains a database of information about near misses, malfunctions, injuries and lethal incidents. This information is available to the general public as the MAUDE (Manufacturer and User Facility Device Experience) database.

A volumetric infusion pump introduces medicines into patients' bodies through an IV mechanically. In this case, the patient died—the buffer overflow was one cause of the tragedy.

The buffer overflow was caught during error checking, but the action it took was to shut the pump down, to bring it down to a safe mode. What they didn't realise was that for some patients shutting the pump down was basically a death sentence. So the patient died after an increase in intercranial pressure, followed by brain death because of the buffer overflow.

...

The pump was reprogrammed incorrectly so that a bolus was given in 20 minutes instead of 20 hours.

Source

Someone compromised their site, so instead of sending a hospital respirator firmware upgrade to me, they were going to serve me with malware.

You have microcontrollers at the top, and typically, some antennas are in it that facilitate communication with the device that controls the defibrillator.

Source

This is a screenshot of the communication between a device and a programmer. And we can see that, first of all, it's in the clear: there is no cryptography, at least none that we could find.

You'll find inside here the name of the implanting physician, the diagnosis, the hospital—basically it’s a complete electronic health record.

We took an antenna from a pacemaker we didn't need, created a little antenna and recorded the RF communication, inducing a fatal heart rhythm, and then we replayed that communication back. And then the device happily emitted a large shock—something on the order of 500 volts, which is about 32 joules in one millisecond, which, I'm told, is kind of like being kicked in the chest by a horse.

The good news is that these devices have been able to solve the problem through some software updates.

The wire connecting a microphone to the amplifier has a certain length and its own resonant frequency. So let's assume that someone generates electromagnetic interference matching the wire's resonant frequency. What’s going to happen? The amplified signal will be sent to the amplifier where it will be boosted further. Then it will be relayed to the analogue-to-digital converter and forwarded to the processor.

Now if we apply the Fourier transform to heart rhythms, we'll find that typical heart beat signals fall within the range of 100 Hz, and only some of them have higher frequencies. That's why most devices of this kind filter out signals whose frequencies are below or above that range.

But if someone is going to deliberately generate electromagnetic interference within the base frequency range, it will bypass all the filters.

USB sticks are the most common carriers of malware infections in hospitals.

In clinical systems, the average time to infection is about twelve days, during which time they have no anti-malware protection of any kind. They can get almost up to a year if they are able to get an anti-virus product down there, but even that is not perfect.