BlackBerry offers insight on hidden security headaches for patients, providers

A live demo at a BlackBerry Security Summit drove home the vulnerabilities presented by everyday mobile healthcare tools--in this case the IV infusion pump for administering medications in hospital and clinical settings.

In quick fashion, a BlackBerry hacker illustrated how the device can be used as an easy path for hackers to alter medication, access a provider's Wi-Fi network and access a facility's network housing valuable private and confidential data records. It's all due to an Ethernet port built into the pump's mechanical functions.

BlackBerry Chief Security Officer David Kleidermacher and security researcher Graham Murphy explained that a network cable, a laptop or tablet and some knowledge of hacking is all that's needed to shut down a pump, increase or decrease fluid operation and present what Kleidermacher described as a "soft underbelly" for attackers.

"[N]ot only does the proliferation of new types of life-saving medical devices help save lives, it also creates an incredible surface area for attacks," Kleidermacher said during the demo.

Through an independent investigation on medical infusion pumps, security researcher Billy Rios found security vulnerabilities in the devices, which prompted the U.S. Food and Drug Administration to issue a warning on the tools. Vulnerabilities in the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems could allow unauthorized users to gain access to the devices and modify the doses they deliver, according to the warning from the FDA. Rios adds that because the problems are design issues in the way software is deployed by the pump, he believes other pumps made by Hospira are impacted by the vulnerabilities as well. 

The infusion pump is just one tool hospitals are using without realizing the potential security risks.

Security is a looming dark cloud over mHealth and the healthcare industry overall. Technology is being developed, sold and used without security being a priority at the outset of development; instead, it often is bolted on as an afterthought.

Yet some are taking the proper approach. Nebraska Medicine, which is deploying an Apple Watch-based version of its Epic MyChart app to let patients and physicians communicate and access data, made a series of decisions regarding security to ensure data is protected at every point, from creation to transmission to storage. No data resides on the Watch and encryption technology is used for transmitting data between the Epic system and the wearable.

For more information:
- watch the summit event