The Atlanta Journal-Constitution
Researcher seeks to protect medical devices from hacking
Built-in convenience also leads to greater vulnerability.
The infusion pump is partly dismantled on the desk and one of its circuit boards lies next to it. Probing the unit for weaknesses and coming up with a protocol to test other medical devices such as pacemakers could point to a way to make them safer from hacking and cyberattacks, an Augusta University researcher says.
In this case, the hacker is Dr. Michael Nowatkowski, associate professor at the university’s Cyber Institute, program director for Cyber Sciences and a senior research fellow with the Army Cyber Institute at West Point. The problem with many medical devices like the infusion pump is that when they were designed years ago, security really wasn’t an issue, he said.
“They were originally designed to be standalone devices and not connected to anything,” Nowatkowski said. “Most of these were originally designed not to connect to the Internet, so the security was in the physical security. You weren’t going to have people walking into patient rooms and messing with the pumps. But now that we’ve connected them to networks, people can do that remotely.”
As health care facilities moved toward monitoring at nursing or central monitoring stations, the devices were connected to networks either by wire or wirelessly - and sometimes without seemingly a great deal of forethought. Nowatkowski held up the circuit board where a wireless USB port has been soldered into the side.
“It makes for great productivity, the ability for a few people to efficiently monitor many devices versus someone having to go and check them all manually,” he said. “But it does increase the vulnerabilities or the risk of operating these.”
With wireless monitoring, for instance, depending on the signal strength, someone could be up to 300 feet away and still intercept it.
“There is a potential that you could even be sitting in the parking lot trying to pick up on the signals,” Nowatkowski said.
Then there are the vulnerabilities that are built into the machines themselves. Nowatkowski picked the infusion pump because there are six known vulnerabilities with these machines. For instance, the default password is stored in the machine itself, and there is no separate authentication process for changing the dosage-limiting database, he said. And that could present a serious problem.
Because those vulnerabilities are already known, Nowatkowski is planning to use standard tools available for “reverse-engineering” to validate what tools and processes can be used to find those vulnerabilities in a systematic way.
“Then what we’ll do is we’ll look at other devices that have not yet been researched and use those same techniques and procedures and use the same tools to see if we can discover similar vulnerabilities on those other devices,” he said.