In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers. His roster of clients has included the Pentagon, major defense contractors, Microsoft, Google, and some others he can’t talk about. He’s tinkered with weapons systems, with aircraft components, and even with the electrical grid, hacking into the largest public utility district in Washington state to show officials how they might improve public safety. The Mayo Clinic job, in comparison, seemed pretty tame. He assumed he was going on a routine bug hunt, a week of solo work in clean and quiet rooms.
But when he showed up, he was surprised to find himself in a conference room full of familiar faces. The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.” The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many— defenseless operating systems, generic passwords that couldn’t be changed, and so on.
The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.
“Someone is going to take it to the next level. They always do,” says Rios. “The second someone tries to do this, they’ll be able to do it. The only barrier is the goodwill of a stranger.”
Rios lives on a quiet street in Half Moon Bay, a town about 25 miles south of San Francisco, pressed against a rugged curl of coastline where scary, 50-foot waves attract the state’s gutsiest surfers. He’s 37, a former U.S. Marine and veteran of the war in Iraq. In the Marines, Rios worked in a signals intelligence unit and afterward took a position at the Defense Information Systems Agency. He practices jiu-jitsu, wanders the beach in board shorts, and shares his house with his wife, a 6-year-old daughter, and a 4-year-old son. His small home office is crowded with computers, a soldering station, and a slew of medical devices.
Shortly after flying home from the Mayo gig, Rios ordered his first device—a Hospira Symbiq infusion pump. He wasn’t targeting that particular manufacturer or model to investigate; he simply happened to find one posted on EBay for about $100. It was an odd feeling, putting it in his online shopping cart. Was buying one of these without some sort of license even legal? He wondered. Is it OK to crack this open?
Infusion pumps can be found in almost every hospital room, usually affixed to a metal stand next to the patient’s bed, automatically delivering intravenous drips, injectable drugs, or other fluids into a patient’s bloodstream. Hospira, a company that was bought by Pfizer this year, is a leading manufacturer of the devices, with several different models on the market. On the company’s website, an article explains that “smart pumps” are designed to improve patient safety by automating intravenous drug delivery, which it says account for 56 percent of all medication errors.
Rios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it. He found that he could set the machine to dump an entire vial of medication into a patient. A doctor or nurse standing in front of the machine might be able to spot such a manipulation and stop the infusion before the entire vial empties, but a hospital staff member keeping an eye on the pump from a centralized monitoring station wouldn’t notice a thing, he says.
In the spring of 2014, Rios typed up his findings and sent them to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In his report, he listed the vulnerabilities he had found and suggested that Hospira conduct further analysis to answer two questions: Could the same vulnerabilities exist in other Hospira devices? And what potential consequences could the flaws present for patients? DHS in turn contacted the Food and Drug Administration, which forwarded the report to Hospira. Months passed, and Rios got no response from the manufacturer and received no indication that government regulators planned to take action.
“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’ ” Rios says.
Rios is one of a small group of independent researchers who have targeted the medical device sector in recent years, exploiting the security flaws they’ve uncovered to dramatic effect. Jay Radcliffe, a researcher and a diabetic, appeared at the 2011 Def Con hacking conference to demonstrate how he could hijack his Medtronic insulin pump, manipulating it to deliver a potentially lethal dose. The following year, Barnaby Jack, a hacker from New Zealand, showed attendees at a conference in Australia how he could remotely hack a pacemaker to deliver a dangerous shock.
In 2013, Jack died of a drug overdose one week before he was scheduled to attend Black Hat, where he promised to unveil a system that could pinpoint any wirelessly connected insulin pumps within a 300-foot radius, then alter the insulin doses they administered.
Continue reading your story on the app
Continue reading your story in the magazine
De-radicalizing the Extremists
Parents for Peace enlists ex-believers to help families win back loved ones drawn to Islamism, QAnon, and other ideologies. Demand has never been higher
Europe's Energy Crisis Is Coming for The Rest of Us
Millions of people around the globe will feel the impact of soaring natural gas prices this winter
Big Sky's Moment of Glory
The most rugged resort in Montana gets speedy lifts, luxury hotels, and fine dining to match its extreme slopes
Black Hairstyles Need Protection
In most U.S. states, employers and schools are allowed to discriminate against box braids, locs, and other traditional styles. A coalition of activists and legislators has started to change that.
High Stakes On the Lake
Justin Bibb wants to be Cleveland’s next mayor. If he beats Kevin Kelley, he’ll inherit serious problems—and a windfall to fix them
Can twitter get us to be nice?
Social networks are all designed to make people angry and keep them coming back for more. Now, one of the worst offenders is trying to be less of a hellscape
Let's Make Covid Testing Part of Our Morning Routine
A Harvard immunologist champions low-cost, at-home rapid tests to beat the pandemic
Homeopath, heal thyself
Natalie Grams believed—really believed—in the healing power of homeopathy. Then a health crisis of her own forced the German physician to question her faith
Stuck on the Sidelines of The U.S. Job Market
Conversations with some of the 5 million out-of-work Americans shed light on why so many jobs are going begging
The Hunt for the Most Lucrative Patients
Privately run Medicare Advantage programs get paid more when members look sicker—even if they don’t receive more care
Best Autumn And Winter Escapes Across The World
Whether you’d rather take to the slopes or relax by the pool, Holly Kirkwood has the pick of autumn and winter escapes across the world
Playing Catchup on COVID
Scientists are testing new antiviral drugs, but they won’t be ready in time for the current wave of cases
How to Be a Work Rebel
Got a contrarian streak in you? Harvard’s Francesca Gino shares the right way to be an unconventional leader
3 supercool ways to control your Mac with your Apple Watch
Play music, switch slides, and unlock your Mac without touching the keyboard.
SHOCK & AWE
COMPANY OF HEROES 3 is coming to wake up the RTS genre.
NEW CYBERSECURITY ORDER ISSUED FOR US PIPELINE OPERATORS
The Department of Homeland Security announced new requirements for U.S. pipeline operators to bolster cybersecurity following a May ransomware attack that disrupted gas delivery across the East Coast.
CITIZEN OF THE World
Congolese native Yannick Nzosa played for professional teams in Italy and Spain before he turned 17. Now that his name is moving up the 2022 pre-draft boards, the former soccer player has one thing front and center in his mind—succeeding for his family back home.
Can face-to-face meetings between a victim and an abuser—a form of restorative justice—help a society overwhelmed with bad behavior?
What Set You Off? Didn’t You Care About Me? What Did I Do to Make This Happen? Have You Learned Anything From This? Will You Ever Change?
Erin Gleeson Woodside, CA
After a cross-country move from New York to California, the now-bestselling cookbook author went from photographing lavish dishes in the city to simple recipes in the woods—an artistic pivot inspired by her new home, a charming cabin in the Santa Cruz Mountains. Nearly a decade and four cookbooks later, The Forest Feast series is as fresh as ever.
The Man In Trouble
Comedian Tim Robinson can’t resist playing characters who make him wince.