Electronic medical equipment is supposed to help humans save lives, but their lamentable security could result in considerable death, we were warned over the weekend.
Speaking at DerbyCon in Kentucky, USA, on Saturday, two infosec experts and two doctors who have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren't good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed.
Not all of these flaws are remotely exploitable, but many are, "and it only takes one,” said Joshua Corman, director of the Atlantic Council's Cyber Statecraft Initiative and one of the aforementioned speakers. “Governments aren’t ready for this and hospitals certainly aren’t – 85 per cent of US hospitals don’t have any IT security staff,” he added.
Four years ago, Corman and others launched
I am the Cavalry to investigate and tackle computer security that affects public safety. He gave his
DerbyCon talk alongside his deputy director Beau Woods, and infosec-minded Dr Christian Daneff and Dr Jeff Tully.
Dr Daneff highlighted the effects of the
WannaCry ransomware epidemic on the UK healthcare system, and said the US had been very, very lucky not to have similar infections of malware. The main fear is a software nasty disrupting computers and network-connected equipment to the point where patients are prevented from receiving vital treatment in time.
“When you look at stroke or heart attack victims you’ve got a very small time window to medicate and avoid further damage,” Dr Daneff explained. “A serious delay might not kill people but can certainly leave them crippled. I’m pretty confident someone died due to this [WannaCry] attack.”
The group ran a simulation exercise with the authorities in Phoenix, Arizona, that revealed alarming results. The three-day simulated cyber-disaster involved one hospital in the city being infected by destructive malware that crippled essential services, followed by other digital assaults on hospitals across the city on the second day, and then a physical attack similar to the 2013 Boston marathon bombing on day three.
To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.
By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.
