Automated drug cabinets have 1400+ critical vulns that will never be patched


#1

[Read the post]


#2

“critical vulns”

Brings a not so pretty picture to my mind.


#3

really did us a favor by saving those 10 letters.


#4

wow, what could possibly go wrong.
of course the other problem is the cost or replacing that kind of things is expensive. yeah a pc and a copy of windows is cheap enough but replacing the software that is the $$$.
I felt bad for some lab guys who had vendor specific stuff that required direct connection to the lab hardware when the server died. It was a vendor supplied image that we could not rebuild for them and the vendor had since been bought out and retired that product well before the drive controller went tits up and b0rk3d the array beyond repair.
We had no way to fix anything for them.

ETA it was a nightmare just getting the hardware fixed as it was not the standard vendor for a server but who we use for desktop and things kept getting passed back and forth.


#5

it should have never been connected to the public internet. I can only think of one reason: a shitty manufacturer with a shitty remote maintenance solution (it’s a mess. and most medical diagnostic suppliers don’t even see the problem.)


#6

now pharmacy techs will need to be educated about filling scripts for Vicodin’); DROP TABLE Drugs;–


#7

I used to contract for Abbott Laboratories. We were writing the software for the AxSym2, a blood and urinalysis device that tells people whether or not they have life threatening diseases.

They didn’t follow even the most basic good practices for software development. The company culture was shite; there was important work that should have been done to ensure the software was bug-free, but instead we were called in to 20 person no-agenda meetings to make the manager feel good.

I had no comfort level that I wasn’t contributing to someone’s death and no idea how to fix their problems, so I quit after two months, by far the shortest period I’ve worked anywhere as an engineer.


#8

because good IT costs money and nobody wants to spend it cause PROFITS.


#9


#10

Abbott’s software is one of the better in the IVD industry. They at least try to follow the interface protocol standards.


#11

Did no one ever question the wisdom of hooking up that most technologically difficult to manage storage device, the cabinet, to a computer and OS? Does loss prevention/inventory management really outweigh all the other downsides and costs?


#12

I used to use those Pyxis machines when I was a nurse. Even new, you could totally jimmy what you wanted out of them. For me it was usually O2 hoses and what not for patients not in the system. At two facilities thier narcs were always off in them. Seemed like a mess to me.


#13

always forgetting the amazon links on the best stuff! :stuck_out_tongue_winking_eye:

But how will little Bobby Tables get his inhaler?

Vulns…sounds like a reproductive anatomy term. :slight_smile:


#14

The good old ‘cash register’ was probably the earliest “Lets add a bunch of complexity to a simple cabinet” attempt; and that was because cabinets that store cash have a nasty habit of having their contents go wandering off.

I’d imagine that, with the mixture of expensive, addictive, and expensive and addictive, contents that hospital cabinets contain; they’d have similar reasons.


#15

I’ve also only worked somewhere that had them once. They might be easy to bypass, but I took to carrying a pocket full of “I need these now” drugs around in my pocket every shift to avoid the login process and rather than run the risk of being locked out. Which is undoubtably less safe than having a key to a drug cupboard …

I’m pretty sure the real underlying reason for such automated cabinets is to try to reduce the workforce. Healthcare is highly labour intensive. So if I, as a prescriber, can both access controlled drugs without having to involve another person and still abide by the double checking rules (to ensure I’m not dipping into the supply) while leaving an independent record of both, then maybe the hospital can make a few nurses and technicians redundant or spread them thinner and save on wages?


#16

OMG! Until you posted, I had forgotten the constant locked out issues. It was totally pointless to have it, when we were locked out constantly, and always using everyone else’s ID to get stuff we needed. I knew nurses that kept things in their pockets for the shift like suppositories, and minor meds.

I think you are right. It’s about reduced workforce. Yet, I recall the last facility I worked with one, they had nurses pulling extra hours to stock and sort out what was missing all the time.


#17

They could always rework them and move them to the hospital cafeterias…


#18

It’s primarily about eliminating human error, which can lead to serious health complications and death. Even if people are exploiting these vulnerabilities to steal drugs, these cabinets are still probably saving lives and so on balance I’d still say they’re an improvement over “analog” cabinets, where you can steal the drugs even more easily but also fuck up and kill people.

Personally what gets me in all this, I think it’s really shitty that the supplier can just end-of-life such an expensive and important piece of equipment and refuse to provide continued support. It’s bad enough when I can’t buy bags for my vacuum cleaner any more, but this is critical medical equipment. Part of the problem is that they build their software on top of proprietary Microsoft OSes that expire with poor backwards compatibility, but that’s no excuse. If I had my way this is something that would be regulated. If you’re selling hardware, the software must be open-source all the way down.

“End of life” is such bullshit when the physical item is still in good working order, it’s a scam to force consumers into buying upgrades they don’t need.


#19

It could only be an improvement. :disappointed:


#20

It isn’t so much that as much as if there are hardware issues they will have to scavenge from other machines as it just isn’t made anymore. Mind you computing power for most things is way more than enough and manufacturing runs should be for a longer term doubly so for this kind of thing.