Security Architecture, Endpoint/Device Security, IoT, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Doctors at RSA simulate emergency overdose caused by hacked medical pump

There’s a famous expression about doctors who make unusual medical diagnoses when a more commonplace explanation is more likely: “When you hear hoofbeats, think of horses, not zebras.” But what if it’s a unicorn? What if it’s something doctors are not trained to look for at all – like the hacking of a medicine pump, causing it to administer an overdose to a patient? RSA 2018 drove this point home on Thursday with a riveting medical emergency simulation, designed to test a real-life doctor’s quick thinking and diagnosis skills in a worst-case scenario situation. Not surprisingly, it took precious minutes before the doctor realized that a malfunctioning pump was the cause of the crisis. The demonstration was just one snippet of a series of simulations that originally debuted in Arizona at last year’s inaugural CyberMed Summit, organized by the Atlantic Council and a pair of College of Medicine – Phoenix graduates with a hacker background: Drs. Jeff Tully and Christian Darneff. Tully and Darneff hosted Thursday’s RSA session alongside Josh Corman, an innovation fellow at the Atlantic Council and founder of I Am The Cavalry, a grassroots public safety organization specializing in computer and device security. “We said, ‘You know, guys, nothing’s gonna change unless somebody dies first,’” said Corman, also a CSO with computer software company PTC. “So we did what any good self-respecting hackers would do: we killed people… in a simulation of course.” Dameff, an emergency physician and clinical informatics fellow at the University of California San Diego, described the process further, noting “we have mannequins that can cry or can bleed that you can do impromptu surgery on in an effort to train our physicians to be able to the handle the most complicated difficult cases with these technologies...” The physician being tested in this case was University of California, Davis toxicologist Dr. Kim Kwai, who was not provided any details in advance about the fictional patient, his medical issue, or the big surprise waiting for her – a stealthy exploit of a connected hospital IoT device. Kwai’s patient was a fictional 60-year-old man played by Beau Woods, a cyber safety innovation fellow with the Atlantic Council, and a leader with I Am The Cavalry. Woods complained of experiencing chest pains for about a week, and presented with atrial fibrillation, or a rapid heartbeat. After asking the patient a series of questions, she ordered her medical team – who was in on the “game” – to administer an IV drip of Cardizem, a calcium channel blocker that treats afib and related ailments. The patient’s chest x-ray and bloodwork looked good, but soon after he complained of increasing lightheadedness, and then lost consciousness as his heart stopped beating. At this point, Woods was replaced with a dummy, as Kwai’s medical team performed CPR on the patient. At first, Kwai was confounded as to why the patient experienced cardiac arrest – until Tully, an anesthesiologist and pediatrician at the University of California, Davis, pointed out a strange anomaly: the entire bag of Cardizen had already been emptied. Only then did the light bulb go off. Dr. Kwai immediately diagnosed the issue as a calcium channel blocker overdose and quickly ordered the pharmacy to provide insulin to counteract the effects. The patient was saved. But in a real-life situation, perhaps no one would have noticed the empty medicine bag until it was too late. “Can we switch out that pump?” said Kwai, realizing something had gone wrong with the equipment. Indeed, the pump was compromised, said Darneff, adding that the exploit in this case reflected the findings of researcher Billy Rios, who in 2014 discovered multiple vulnerabilities in the LifeCare PCA drug infusion pump sold by Hospira. “Being alerted that the entire bag was empty kind of made me think of a pump malfunction, maybe,” said Kwai following the simulation, admitting that “I have never really thought to look at the bag. In fact, I was not looking at the bag.” Kwai said that, moving forward, she would now be more cognizant of how patient lives depend on the integrity of connected medical devices. “It would be devastating to the entire health care system if things were hacked,” she said.
Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.