Re: Holy crap
It's you! They're coming for you!
6 publicly visible posts • joined 9 Apr 2014
That's actually wrong. High levels of carbon dioxide in the blood render you unconscious, irrespective of the oxygen level in your blood. Carbon dioxide is in itself toxic to human beings at high levels. This toxicity shows itself in people with most severe chronic obstructive pulmonary disease who retain carbon dioxide when breathing.
The article is a tad one-sided when it comes to describing usage-scenarios for infusion pumps, although I admit the descriptions do apply aptly to the specific type of pump mentioned, namely a PCA-pump. Whilst the author points out that hospitals will generally avoid making ethernet ports available left, right and center - and that may be true - the trend on intensive care units is very much toward networking all devices. If you imagine a busy ICU with 15 beds, each equipped with a ventilator and something like 12 infusion devices (and, in some case, additional equipment, such as dialysis devices, ECMO etc.) you can immediately see the advantage of networking those devices: automated documentation. In addition, alarms (patient inadequately ventilated, norepinephrine running low, potassium pump to be changed in 5 minutes etc...) can be displayed in a central nursing bay (already we can see the patients vitals on monitors throughout the ICU), streamlining some of the work on ICU. Networked pumps can also be updated remotely - a godsend when you need to add new drugs and standards to the internal list of available medications.
My personal experience is that the team in charge of implementing such changes on an ICU does not include an IT-security expert - and companies will happily tell you that there is no way a device can be controlled remotely. Less IT-savvy physicians (and that description will include many senior physicians, who did not grow up in an IT-environment) will be happy to believe such claims. Knowing that one pump on the market proves those claims wrong - and suspecting that many other pumps will too - should be worrying to anybody who uses networked pumps on an ICU - where pumps and drugs really are part of a life and death situation.
Of course we don't live in a world full of people who would like to kill indiscriminately - but some of those who are mad will find it rather easier to do so remotely than in person. I do very much agree with your third conclusion - IT-security needs to be a part of the stringent certification procedure for medical devices.
I'm a medical doctor, so trying to get my head around SSL is a bit o.t. to me...
What's the client-side implication of all this? Is changing passwords after the server-side certs have been renewed enough? Or are the libraries found in BYOD environments - what I'm saying is, is a leak inherently possible at either end, and equally dangerous?