Dr. Kim Kwai (left) tries to solve a medical mystery caused by a medical device hack, as her medical team performs CPR on the dummy patient.
Dr. Kim Kwai (left) tries to solve a medical mystery caused by a medical device hack, as her medical team performs CPR on the dummy patient.

There's a famous axiom about doctors making unusual medical diagnoses when a more commonplace explanation is more likely: “When you hear hoofbeats, think of horses not zebras.

But what if it's a unicorn?

What if it's something doctors are not trained to look for at all – like the hacking of a medicine pump, causing it to administer an overdose to a patient?

RSA 2018 drove this point home on Thursday with a riveting medical emergency simulation, designed to test a doctor's quick thinking and diagnosis skills in a worst-case scenario situation. Not surprisingly, it took precious minutes before the doctor realized that a malfunctioning pump was the cause of the crisis.

The demonstration was just a snippet of a series of simulations that debuted in Arizona at last year's inaugural CyberMed Summit, organized by the Atlantic Council and two College of Medicine - Phoenix graduates with a hacker background -- Drs. Jeff Tully and Christian Darneff. Tully and Darneff hosted Thursday's RSA session, alongside Josh Corman, an innovation fellow at the Atlantic Council, and founder of I Am the Cavalry, a grassroots public safety organization specializing in computer and device security.

“We said, ‘You know, guys, nothing's gonna change unless somebody dies first,'” said Corman, also a CSO with computer software company PTC. “So we did what any good self-respecting hackers would do: we killed people… in a simulation of course.”

Dameff, an emergency physician and clinical informatics fellow at the University of California San Diego, described the process further, noting “we have mannequins that can cry or can bleed that you can do impromptu surgery on in an effort to train our physicians to be able to the handle the most complicated difficult cases with these technologies..."

The physician being tested in this case was University of California, Davis, toxicologist Dr. Kim Kwai, who was not provided any details in advance about the fictional patient, his medical issue, or the big surprise waiting for her – a stealthy exploit of a connected hospital IoT device.

Kwai's patient was a fictional 60-year-old man played by Beau Woods, a cyber safety innovation fellow with the Atlantic Council, and a leader with The Cavalry. Woods complained of experiencing chest pains for about a week, and presented with atrial fibrillation, or a rapid heartbeat.

After asking the patient a series of questions, she ordered her medical team – who was in on the “game” – to administer an IV drip of Cardizem, a calcium channel blocker that treats afib and related ailments.

The patient's chest x-ray and bloodwork looked good, but soon after he complained of increasing lightheadedness, he lost consciousness as his heart stopped beating. At this point, Woods was replaced with a dummy, as Kwai's medical team performed CPR on the patient.

At first, Kwai was confounded as to why the patient experienced cardiac arrest – until Tully, an anesthesiologist and pediatrician at the University of California, Davis, pointed out a strange anomaly: the entire bag of Cardizen had already been emptied.

Only then did the light bulb go off. Dr. Kwai immediately diagnosed the issue as a calcium channel blocker overdose and quickly ordered the pharmacy to provide insulin to counteract the effects.

The patient was saved. But in a real-life situation, perhaps no one would have noticed the empty medicine bag until it was too late.

“Can we switch out that pump?" said Kwai, realizing something had gone wrong with the equipment. Indeed, the pump was compromised, said Darneff, adding that the exploit in this case reflected the findings of researcher Billy Rios, who in 2014 discovered multiple vulnerabilities in the LifeCare PCA drug infusion pump sold by Hospira.

“Being alerted that the entire bag was empty kind of made me thing of a pump malfunction, maybe,” said Kwai following the simulation, admitting that “I have never really thought to look at the bag. In fact, I was not looking at the bag.”

Kwai said that moving forward she would now be more cognizant of how patient lives depend on the integrity of connected medical devices. It would be devastating to the entire health care system if things were hacked,” she said.