Hacks involving medical systems and databases scare me. The potential for malicious harm is huge. Despite the fact that we’ve known about the risks since the 1983 hack of Sloan-Kettering, and despite the fact that we received some troubling reminders recently with demonstrations involving pacemakers or insulin pumps, the healthcare sector still lags behind the financial sector in terms of hardening its security. And so here we are, with sensitive patient information at risk of being acquired, corrupted, or exposed, and the very devices that we count on to save lives or diagnose can be hacked to cause harm. Can you think of anything more nightmarish?
Darren Pauli reports:
Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services including assisting surgeries and generating patient reports.
The dangerous unpatched flaws within the Philips Xper systems allowed researchers to develop an exploit within two hours capable of gaining remote root access on the device.
From there, attackers would have administrative access to a host of patient data stored in connected databases.
Read his whole report on SC Magazine. Kelly Higgins Jackson provides related coverage of the XPER vulnerability.
That the FDA and Department of Homeland Security are now getting more involved is encouraging, but obviously, there are significant vulnerabilities that need to be addressed and patched promptly. And researchers who uncover these vulnerabilities need to be assured that they will not be prosecuted as hackers under CFAA if they test systems and disclose responsibly. What really scares the hell out of me is the potential for vulnerabilities to result in exploits that are sold on the black market. Such exploits could be used to extort hospitals or healthcare systems, and if extortion demands are not met, how far would the extortionists go?