Researcher Saurabh Harit of Spirent SecurityLabs discovered vulnerabilities in digital smart pens and IV infusion pumps, which could become a threat to the confidentiality, integrity and availability of electronic protected health information. Exploiting the vulnerabilities could give unauthorized individuals access to sensitive patient information. Patients using IV infusion pumps can be harmed and face fatal consequences as a result of the vulnerability.
Doctors often use smart pens to write prescriptions, which are transmitted to pharmacies. The manufacturers of the smart pens say that the devices do not keep sensitive information. But Harit got sensitive information like patient names, phone numbers, addresses, medical records and clinical information using the devices.
Harit was able to view the operating system the smart pen is connected to. At the start, he was given low-privilege access but it was elevated to administrator privileges with further exploits. With administrative rights and encryption disabled, Harit accessed the backend servers that the healthcare organization used. This allowed him to view the PHI of patients who visited the doctors that used the smart pens. The manufacturers of the smart pens have already received notification of the flaws and have fixed the vulnerability.
The vulnerability in the IV infusion pump is still unpatched. Harit discovered the exploit that could possibly be used to administer lethal doses of drugs to patients using the IV pumps in a particular hospital. The hack was very simple and could be used with a device costing only $7. With the device, Harit was able to interface with the pump and view its configuration data. He could also access the device connected to the pump and collect sensitive patient data, including the master drug list and doses of drugs to be administered. Somebody could even create a malware to attack all the IV infusion pumps in the hospital.
The only thing that people who want to exploit the vulnerabilities need to have is physical access to the device. Harit did not disclose the company names or devices affected. But he presented his findings at Black Hat Europe.