Newsflash: Hackers Hack Firmware on Drug Pump

Newsflash to all CEO’s when do you understand the problem of no mistakes no matter the potential of attack?

Bruce Schneier

https://www.schneier.com/blog/archives/2015/06/hacking_drug_pu.html

Hospira Infusion drug pumps:

InfusionPumps_Hospira.com

http://www.hospira.com/en/products_and_services/infusion_pumps/

So the infusion pump helps reduce clinical safety and is now on the network.

Guess what will happen next? Hackers will hack…

Sure it may take some time and crazy hacker ingenuity to make money out of a potential Infusion hack, but just as in Schneier’s blog  post:

{ Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other. }

 

I agree we need to assume insecurity and then prove security, because this hacker will try to prove the fallibility of the Hospira architecture separation. This is the same concept in defending networks, you have to assume the hacker is already in the network by getting by the defenses.

Imagining that the hardware is built with an impregnable wall has to be proven with your own and outside QA and penetration testing, especially if the device is connected to the network (either directly or through a computer via serial cable).

 

The big question is why would a hacker hack a drug pump? To make money…   If they can install ransmware  now they can charge even more than $300 because they are messing with lives (drug delivery).

 

Will we see in the future the following headline:

Hackers injured/killed X number of people? Made a Bil$ with health related hacks.

 

All CEO’s must evaluate their cyber defense strategies and they have to think outside the box… as hard as that is to do.

Do you really think the criminals which are making a Billion Dollars today are sitting idle?  http://www.dw.de/hackers-steal-up-to-1-billion-from-banks/a-18260327

cryptolocker-image

Imagine the next Cryptohealth or cryptoPump ware asking for a thousand$ or else.

 

I do not want to perfect the hacker attack here (as one can easily disconnect he pump etc.)   the actual hack may be different in scope.

It is obvious to me the thinking needs to change to assume insecurity and prove secure function.