Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Medicine Security

Hackers Penetrate Top Medical Device Makers 76

Posted by samzenpus
from the lets-have-a-look dept.
An anonymous reader writes "Hackers have penetrated the computer networks of the country's top medical device makers, The Chronicle has learned. The attacks struck Medtronic, the world's largest medical device maker, Boston Scientific and St. Jude Medical sometime during the first half of 2013 and might have lasted as long as several months, according to a source close to the companies."
This discussion has been archived. No new comments can be posted.

Hackers Penetrate Top Medical Device Makers

Comments Filter:
  • Response (Score:2, Insightful)

    by DoofusOfDeath (636671)

    When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

  • by cold fjord (826450) on Monday February 10, 2014 @09:43AM (#46209681)

    I imagine they'll take what they can get: IP, personal data, or just more computers to control.

    If it really is China as suggested in the article that could make sense. China's population is going to be aging, and medical devices would be handy for either internal use or for another technology to develop and market.

    This is interesting (FTA): "The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, he said."

    Who do you suppose noticed the breaches, and how?

    • by Anonymous Coward

      Someone got bored hijacking your secure email at the NSA and decided to go trolling for medical device companies?

    • by Anonymous Coward
      I worked for Siemens Medical on their Centaur XP device - based on stock Solaris 10, never patched, no real security enabled; their earlier model, still in the field, was based on Solaris 2.6, also not patched - and it was trivial to hack and exploit that machine. Brought it up with management more than once. Silence. As it is, I expect to see articles any day mentioning Siemens' shock and dismay that their flagship medical diagnostic device has been hacked. I just hope no one dies from it.

      -- green le
    • by tomhath (637240)
      Could've been one of the many agencies they communicate with noticed probes coming from their systems- NIH, FDA, CMS, CDC, etc. But it was more likely an agency that's responsible for stopping espionage by other governments.
    • Re: (Score:3, Funny)

      by Hal_Porter (817932)

      Who do you suppose noticed the breaches, and how?

      If the machine next to your hospital bed displays a laughing skull and starts playing mod tunes whilst demanding you pay by credit card to an account in Russia to avoid being "pwned by l33tgr0up" that is likely not a good sign.

    • by Darinbob (1142669)

      China pirates a lot of devices. Russia too. Not necessarily state sanctioned but there is a huge market for cloned medical devices.

  • by Akratist (1080775) on Monday February 10, 2014 @09:56AM (#46209741)
    Someone probably already wrote a sci-fi story along these lines, but I can easily see someone with an artificial heart, pacemaker, or some other medical device getting a phone call threatening to shut their thing off unless they make an extortion payment. While I think most of these are air gapped at the moment, it's inevitable that they will become more interconnected, especially as a means of delivering diagnostic information (aka "heartbeats", heh), at which point it will be possible to run exploits against them. Even if a person's devices aren't experiencing a legit attack, I can also see plenty of people being scared into coughing up dough because they won't know any better.
    • Go watch the Almost Human episode "Arrythmia". Now.
    • What is already happening is these devices are getting hard coded safety envelopes. You would be able to give them commands within that envelope but that would be it. It is not a problem but the medical device companies though they would have to deal with but they seem to be working on the problem pretty efficiently. So you could tell the heart to speed up a little or slow down a little but there would be hard coded controls so that you could not make it stop, run too fast, run too slow, run for very long a

      • However, in the case of pacemakers it is very possible to cause a bingeminy, trigeminy, or other form of sinus arrhythmia that untreated could ultimately lead to damage of the heart muscle, even for a device operating within its safety limits. Even just by oscillating the gain on the sensing leads could trigger automated defibrillation on devices with the capability (less common).
        • Wouldn't one of the limits be on the oscillations allowed? Even when designing process controllers for industry for chemical reactors there are limits like that. There should be no input to these devices you can give which would endanger the patient.

    • by swb (14022)

      Similar to "Repo Men".

      http://www.imdb.com/title/tt10... [imdb.com]

    • by Tablizer (95088)

      There was concern shortly after 9/11 that terrorist hackers could shut down Dick Cheney's pacemaker using a proximate signal. He's rumored to have had surgery to turn off the remote command feature.

      http://abcnews.go.com/Health/d... [go.com]

    • I suspect that hospitals would be loathe to put in artificial parts which someone else could remotely service or diagnose, even without any chance of what you suggest.

      Doesn't mean it's impossible of course, just that it seems right at this moment like a remote concern.
      • Pacemakers and defibrillators can be reprogrammed wirelessly by physicians. The more sophisticated ones (usually defibrillators) often have a patient unit, which can be kept at home, and can query the device and send telemetry back to the physician over the internet. This can reduce the need to travel to the hospital for routine examinations.

        In general, there is no real authentication performed between the wireless programmer and the implanted device, other than a check of the serial number. The channel is

      • My wife's (Medtronic) pacemaker can be checked, logs read, and reprogrammed by hanging a device that's about the size and shape of a computer mouse on her chest. That device is connected to a computer that the cardiac technician sits in front of to do his thing.

        As far as I'm aware, the entire pacemaker is controlled by the technician's computer. There is no phyiscal penetration required at all.

  • by Lumpy (12016) on Monday February 10, 2014 @10:00AM (#46209773) Homepage

    When you think of IT as that annoying office of geeks you have to tolerate in the company.

    They are your first line of defense, when they ask for something you GIVE IT TO THEM.

    • by Anonymous Coward

      This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

      Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

      • by Jawnn (445279)

        This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

        Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

        Nooo.... This is what you get when people who don't understand IT, and who can't be bothered to listen to any explanations, describe their experience when IT tries to explain why it is important to [insert security best practice here]. Yes, there are dickheads in IT too, who are condescending, etc., but that can hardly explain the constantly uphill battle that IT fights when trying to justify this expense or that policy.

    • Do you buy Oracle hardware and licenses because its what the DBA knows, or are your requirements satisfied by something less expensive?
      Do you need the Rsa connection so admins can remote in, or is that something that should be airgapped?

      My point is that you have to either know or trust, and trust is expensive. So hire well and pay generously. Just throwing money at the problem doesn't mean it will be solved well, or at all. As such, it is too simplistic to be taken as advice.

    • by Darinbob (1142669)

      It's scary that they're the line of defense, when they can't even find out what the problem is with the computer on the desk or figure out why the network slowed down, and everyone in the staff who does work is in the twenties and all managers are in the forties, and mentioning any topic not included in a Microsoft certification course causes blank stares.

      I have definitely been places where the R&D team know more about security than the IT team, which is ok when creating the security on the devices them

  • Internet of Things (Score:3, Informative)

    by JCHerbsleb (2881347) on Monday February 10, 2014 @10:05AM (#46209811)
    Welcome to the Internet of Things. Now, IT Security is not simply a venue to stop embarrassment (website defacements), disruption (DDoS), and exposure (SQLi), but potentially a life and death issue. Disruption of a pacemaker, insulin pump, etc. can have a very real impact. Perhaps a modern day "Pinto" incident will change the view of IT Security from an expense item to a necessary partner.
    • by eam (192101)

      I haven't re-read the article to see if I've missed something, but it seemed more about corporate espionage than causing heart attacks. Seems like the perpetrators were looking for a quick and easy path to the top of the medical device manufacturing food chain.

      Would be morally wrong to set up a honeypot loaded with subtly but fatally flawed designs such that the manufacturer stealing said designs would be destroyed by the resulting lawsuits from their customers and/or victims?

    • by Darinbob (1142669)

      The hacking here is to the corporate computers, not hacking into the devices themselves. Now granted those devices may not be secure in some cases, but that is a different story. The danger is in stealing designs. However if the devices rely on security through obscurity then stealing the designs can allow compromising the devices also. Worse, if someone is dumb enough to store signing certificates on a corporate computer.

  • with web/Internet access on the same computer they used for admission and they were using Microsoft's Internet Explorer. Same thing for a CPA and her entire office while handling taxes for corps and individuals. So it should be no surprise to hear medical companies have been hacked into. Security is something others with important information do.

    • When I was in the hospital last year I noticed that the heart monitor (with built in defib) had bluetooth. I don't think I want something hooked up to me that has both A) the ability to deliver massive amounts of electricity to my chest and B) bluetooth.
  • by Anonymous Coward

    Did they get the IP address and password to Dick Cheney's implants? That's what we all want to know.

  • Medical devices are huge threats. "Hey lets slap WiFi on this heart rate monitor and give it to a hospital" - how about an insulin pump?

    Recall the story of using bluetooth to kill someone with a pacemaker? [webpronews.com]

    Simple fact is people have no idea what they are doing security wise and are designing this stuff to be web enabled.
  • And soon some medical devices will be penetrating the hackers.

I have yet to see any problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson

Working...