Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches

Researcher to reveal IoT medical device dangers at Black Hat Europe this week.

An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher.

Saurabh Harit, managing consultant with Spirent, will present his findings on flaws in IV infusion pumps and digital smart pens at Black Hat Europe this week.

"Perpetuators can use this patient information to file false insurance claims as well as to buy medical equipment and drugs using a fake ID. These products are then easily sold on the black market," Harit says. "What makes medical data more lucrative than the financial data is the low and slow detection rate of the fraud itself. While a credit card fraud can be detected and blocked in a matter of minutes these days, medical data fraud can go undetected for months, if not more."

Harit has notified the affected IV infusion pump and digital smart pen vendors of the vulnerabilities, which have patched the flaws, Harit says he will not reveal the names of the companies or their devices.

Smart Pen Problems

"By far the most surprising thing we came across in our research was the amount of patient information that was available with the digital smart pen," Harit says. "We felt even if we breached it, we would not get a lot of information off of it because the healthcare organization said they did not store patient information on the device."

Doctors use digital smart pens to prescribe medications for patients and that information is then digitally transmitted to pharmacies with the patient's name, address, phone number, health records, and other medical information.

But after reverse-engineering the digital smart pen, Harit found a cache of information. First he peered into the device's underlying operating system by simply connecting a monitor to the device through a serial interface.

Then, by exploiting network protocols, he obtained low-privilege access to the device. After exploiting its software and services to bypass the device's security checks and lock-down mode, he was able to gain administrative access.