Gallery: Medical Devices That Are Vulnerable to Life-Threatening Hacks
Hospira01hospira-lifecarepca-plum-a
*1. The Hospira LifeCare Drug Infusion Pump.* Security researcher Billy Rios was in the hospital for emergency surgery one day when he eyed the drug infusion pump used to deliver medication to him and other patients and realized it was the same model he'd reverse-engineered as part of a security project. Rios had found vulnerabilities in the pump that would allow a hacker to surreptitiously and remotely change the amount of drugs administered to patients to [deliver a deadly dosage](https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/). The vulnerabilities affect at least five models of drug infusion pumps made by Hospira---an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world. But pumps made by other companies may be vulnerable in the same way.
02medtronic
*2. Medtronic's Paradigm 512, 522, 712, and 722 insulin pumps.* Patients use insulin pump systems to manage their blood glucose levels. But the systems don't encrypt the commands that patients send their pumps, nor do they authenticate the source of the commands---this means unauthorized parties in the vicinity of a pump could intercept the legitimate commands and replace them with bogus commands that could deliver a deadly insulin dose to a patient.
Getty Images03GettyImages-136997842
*3. Implantable Cardioverter Defibrillators (ICDs).* Life-saving devices like implantable cardioverter defibrillators deliver shocks to a patient who shows signs of going into cardiac arrest. So you'd think they'd be designed to prevent someone from disabling or hijacking them to deliver unwarranted shocks. But researchers found that a couple of companies that make defibrillators have a feature that attackers could hijack. The companies use a Bluetooth stack for configuring the devices and delivering test shocks to patients after the devices are first implanted. But they evidently use default and weak passwords for the Bluetooth stack, which an attacker could use to connect to the devices. "It’s a simple password like an iPhone PIN that you could guess very quickly," Scott Erven, head of information security for Essentia Health, discovered.
Jasper Juinen/Bloomberg/Getty Images04Royal Philips N.V. Healthcare Systems
4\. X-Ray Systems. The computers that physicians and other hospital staff use to access patient X-rays generally require authentication to view the images; they also maintain a log of everyone who accesses them to protect patient privacy and guard against misuse. But security researcher Scott Erven found that these images are often backed up to centralized storage units that [don't require any authentication to access them](https://www.wired.com/2014/04/hospital-equipment-vulnerable/) and also don't log who views the images.
Getty Images05GettyImages-495491976
*5. Blood Refrigeration Units.* Some refrigeration systems used to preserve blood and pharmaceuticals have a web interface that lets hospital staff set the temperature range remotely. Although the systems can issue alerts via email or wireless pagers to notify lab and hospital staff if the temperature falls outside certain boundaries, the systems are not secure---they are only protected by a hardcoded password the vendor embedded in the systems, which a hacker can decipher. And once in the system, an attacker could not only alter the temperature but turn off the alert feature to prevent the system from notifying hospital staff.
Getty Images06GettyImages-523837251
*6. CT Scans.* Scott Erven and his team of researchers found vulnerabilities that left [CT scanning equipment open to attack](https://www.wired.com/2014/06/hospital-networks-leaking-data/). They found, for example, that they could remotely alter the configuration files in a hospital's CT scan and change radiation exposure limits that set the amount of radiation patients receive.
CAE Healthcare07istan
*7. iStan.* Though it's not actually a medical device, iStan expertly illustrates why securing medical devices and equipment is so important. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. Earlier this year, researchers at the University of South Alabama "killed" Stan by hacking his embedded pacemaker. "The simulator had a pacemaker so we could speed the heart rate up, we could slow it down," they [told Motherboard](http://motherboard.vice.com/read/hackers-killed-a-simulated-human-by-turning-off-its-pacemaker). "If it had a defibrillator, which most do, we could have shocked it repeatedly. \[But\] it's not just a pacemaker---we could do it with an insulin pump, \[or\] a number of things that would cause life-threatening injuries or death."
