Two Minute Tips

The lurking danger of medical device hackers

May 23, 2018

Share this article:

As more and more technology is integrated into medicine, health care has become one of the most hacked industry. (Photo Credit: Pixabay.com user rawpixel)

The hacking of medical devices is a huge concern due to its potential to harm patients and wreak havoc on health systems. On April 14 at the Association of Health Care Journalists health journalism conference at the Pointe Hilton Tapatio Cliffs Resort in Phoenix, a panel including an industry consultant, academic expert, and physician addressed the risk of medical device hacking to patient safety.

Historically, medical devices weren’t susceptible to remote attacks because they did not have network connectivity. Now, network connectivity is pervasive, and the threat of hacks and malware are significant, both in terms of patient health and the cost of recalls, says Roman Lysecky, associate professor of electrical and computer engineering at the University of Arizona. Just last year, The FDA recalled half a million implantable pacemakers due to security vulnerabilities “which could result in patient harm from battery depletion or administration of inappropriate pacing.”

In best case scenarios, says Lysecky, white or gray hat hackers find and report these vulnerabilities, the device manufacturers develop a fix and disclose the vulnerability, the healthcare providers facilitate the fix, and the patient uses the updated or replaced device. But the worst-case scenario might involve black hat hackers finding the vulnerability and publicly disclosing it, demanding ransom, or even harming patients—in which case, the device manufacturer won’t learn of the vulnerability until after an attack.

Developing and deploying appropriate fixes can take months to years, so attackers have a head start. That’s why Lysecky and others are researching ways to address security and privacy throughout the product lifecycle and looking at ways to build resilience into devices. Medical devices can be built to detect threats such as hacks, breaches or malware, and automatically mitigate those threats. It could switch to a “safe” mode providing only essential functionality.

May Wang, CTO of IoT security solution Zingbox, points out that healthcare is the most hacked industry. The main challenges are inventory, security, and operations. Unfortunately, most hospitals don’t have a good handle on their inventory or know how many devices they have, who is in charge of those devices, and which are connected to a network. Wang says one of the biggest culprits accounting for 41 percent of security issues in medical devices is user practice issues such as rogue applications or browser usage: think people using hospital devices developed strictly for medical usage, such as X-ray computers, to surf the web or play Pokémon Go.

Outdated operating systems are also an issue, as well as people not downloading security patches and updates. Three device types, Infusion pumps, imaging systems, and patient monitors, account for the vast majority of security issues. The dominant vulnerability is different for each type of medical device. For much more information, see Zinbox’s medical devices threat report, and the Health Care Cybersecurity Industry Task Force report: https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.

Jeff Tully, M.D., resident anesthesiologist at the University of California-Davis Medical Center, pointed out that hackers aren’t just targeting medical devices or trying to steal personal information, but are also targeting entire system to try to affect hospital operations and patient safety. This can lead to reduced patient confidence, delays in emergency care, increased mortality, and, of course, cost expenditures.

Tully participated in a collaborative conference with CyberMed Summit last June. The conference includes clinical simulations to raise awareness and education of medical device hacking, among other things. Another CyberMed Summit will be taking place this December.

More Like This...

Two Minute Tips

Sign up now.
Get one Tuesday.

Every Tuesday we send out a quick-read email with tips for business journalism.

Subscribers also get access to the Tip archive.

Get Two Minute Tips For Business Journalism Delivered To Your Email Every Tuesday

Two Minute Tips

Every Tuesday we send out a quick-read email with tips for business journalism. Sign up now and get one Tuesday.

Our New Look
The Reynolds Center for Business Journalism is starting 2023 with a new look that we hope better illustrates our core mission to provide accurate and authoritative resources about business journalism, in order to help both reporters and news consumers understand the importance of business news and to demystify the sometimes arcane topics it covers.
Businesses, markets, and economies move in cycles – ups and downs – which is why our new logo contains a “candlestick” chart representing increases as well as downturns, and serves as a reminder that volatility is an unavoidable attribute of modern life. But it’s also possible to prepare for volatility by being well informed, and informing the general public to help level the information playing field is the primary goal of business journalism. The Reynolds Center is committed to supporting that goal, which is why the candlestick pattern in our logo merges directly into the name of our founding sponsor, Donald W. Reynolds.
Our new logo comes with a shorter name. Business is borderless, and understanding the global links in supply chains, trade, and flows of funds and people is essential to make sense of our fast-paced, globalized world. So we’re dropping the word “National” from our name and will aim to provide content that is applicable to business news globally.
We hope you like the new look. Best wishes for 2023!