The hacking of medical devices is a huge concern due to its potential to harm patients and wreak havoc on health systems. On April 14 at the Association of Health Care Journalists health journalism conference at the Pointe Hilton Tapatio Cliffs Resort in Phoenix, a panel including an industry consultant, academic expert, and physician addressed the risk of medical device hacking to patient safety.
Historically, medical devices weren’t susceptible to remote attacks because they did not have network connectivity. Now, network connectivity is pervasive, and the threat of hacks and malware are significant, both in terms of patient health and the cost of recalls, says Roman Lysecky, associate professor of electrical and computer engineering at the University of Arizona. Just last year, The FDA recalled half a million implantable pacemakers due to security vulnerabilities “which could result in patient harm from battery depletion or administration of inappropriate pacing.”
In best case scenarios, says Lysecky, white or gray hat hackers find and report these vulnerabilities, the device manufacturers develop a fix and disclose the vulnerability, the healthcare providers facilitate the fix, and the patient uses the updated or replaced device. But the worst-case scenario might involve black hat hackers finding the vulnerability and publicly disclosing it, demanding ransom, or even harming patients—in which case, the device manufacturer won’t learn of the vulnerability until after an attack.
Developing and deploying appropriate fixes can take months to years, so attackers have a head start. That’s why Lysecky and others are researching ways to address security and privacy throughout the product lifecycle and looking at ways to build resilience into devices. Medical devices can be built to detect threats such as hacks, breaches or malware, and automatically mitigate those threats. It could switch to a “safe” mode providing only essential functionality.
May Wang, CTO of IoT security solution Zingbox, points out that healthcare is the most hacked industry. The main challenges are inventory, security, and operations. Unfortunately, most hospitals don’t have a good handle on their inventory or know how many devices they have, who is in charge of those devices, and which are connected to a network. Wang says one of the biggest culprits accounting for 41 percent of security issues in medical devices is user practice issues such as rogue applications or browser usage: think people using hospital devices developed strictly for medical usage, such as X-ray computers, to surf the web or play Pokémon Go.
Outdated operating systems are also an issue, as well as people not downloading security patches and updates. Three device types, Infusion pumps, imaging systems, and patient monitors, account for the vast majority of security issues. The dominant vulnerability is different for each type of medical device. For much more information, see Zinbox’s medical devices threat report, and the Health Care Cybersecurity Industry Task Force report: https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.
Jeff Tully, M.D., resident anesthesiologist at the University of California-Davis Medical Center, pointed out that hackers aren’t just targeting medical devices or trying to steal personal information, but are also targeting entire system to try to affect hospital operations and patient safety. This can lead to reduced patient confidence, delays in emergency care, increased mortality, and, of course, cost expenditures.
Tully participated in a collaborative conference with CyberMed Summit last June. The conference includes clinical simulations to raise awareness and education of medical device hacking, among other things. Another CyberMed Summit will be taking place this December.