Scary if so...
Talk about creating "sleeper cells". Van Winkle would be REALLY RIPPED by such a gassly scheme...
The US Department of Homeland Security has warned hospitals and health clinics that many of the electronic medical devices in use at their facilities may be vulnerable to cybersecurity attacks. The affected devices include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient …
'They' tell everyone that a big part of medical expenses are due to the capital investment required by Drs and hospitals. New features are added to centralize data collection a facilitate chart consolidation and the price goes even higher. New features must be disabled, eliminating efficiencies that were supposed to drive costs down, but still the price goes higher. New machines with elementary level coding best practices must now be purchased, costs grow some more.
The manufacturers of these devices should be required to update them at their own expense. This is already looking like a 'critical' situation that will require the hospitals to request emergency (tax) funds from state and federal agencies. What kind of douche nozzles hardcore passwords into devices. Jesus that's stupid.
How about having the monitoring equipment record to a "patient monitor" located, say, on the equipment panel beside the hospital bed. Then, a central sever could poll the "patient monitor" for info, rather than the individual equipment. That way, the equipment could be isolated from the network, and would not require password mods, etc. Security could focus on protecting access to the "patient monitor", which could be handled by each hospital or central monitoring location as they see fit.
There goes the plot for the next Tom Cruise movie- th' President, or some other indispensable person, is about to undergo urgent life-saving surgery, BUT THE TERRORISTS HAVE HACKED THE OPERATING THEATER EQUIPMENT!!!
Can our plucky little scientologist (plus inevitable female sidekick with white hat skills) save the day?
More to the point, security researchers have been flagging-up these vulnerabilities for several years (e.g. Jerome Radcliffe and his Medtronic insulin pump) with the uniform response from device manufacturers: "Nothing to see here, this isn't a problem (and if it becomes a problem we may sue you for making it public)".
Given this attitude by device manufacturers (and the likelihood that the DHS's intervention is more to do with self-publicity/funding than genuine human welfare/security) the suggestions above that they will simply use this as an opportunity to inflate profits by producing "secure" devices (any bets on an "unhackable/terrorist-proof" wifi insulin pump "protected" by WEP?) seem all too likely.
</cynic>
I have personal experience of medical/scientific equipment controlled by networked PCs being broken by their controlling PCs after auto updates have been installed. The equipment was originally isolated from the Internet as it was "mission critical" - Then the IT support contractor persuaded the powers that be that it should be connected, so that it could be automatically updated because "it could get a virus unless it was updated".
Doesen't matter, if they use RF anywhere (even a proprietry non-standard standard) then they are vulnerable to sideband interference attacks.
Say from those nice HomePlug adaptors that someone installed because "adding an extra LAN cable would cost £££" a few hundred feet away, leaking in through the mains wiring or suchlike.
I seem to recall that Freeview is "allergic" to Homeplug adaptors with a certain frequency spread, the newer more expensive ones actually include notching for this reason.
Same with 4G phones where the transmitter is turned on by default even where no 4G coverage exists, the equipment was never designed to function with such extreme interference.
disclaimer:- I used to work with said equipment :-)
....the devices are networked so they can send data to remote monitoring stations at the other end of the ward. That way the person caring for the patients can see on just one screen every patient's status indicators (like ECG, oxygen saturations, arterial blood pressure, respiration rates etc.) as well as being alerted if there is a problem (like a line blockage) with any infusion pumps or other equipment attached to the patient.
Visual direct checks are nice but you don't have enough people to directly observe every patient for every minute of the day.
For the most part these systems are isolated from other networking (mostly so that other network issues don't interfere with the operation of vital monitoring rather than to protect the monitors from external influence) but these devices are often updated with firmware duing maintenance cycles and that's where the malware could gain entry.