Dick Cheney ordered changes to his pacemaker to better protect it from hackers. Johnson & Johnson had to warn customers about a security bug in one of its insulin pumps. And St. Jude spent months in 2017 dealing with the fallout of vulnerabilities in some of the company's defibrillators, pacemakers, and other medical electronics. You'd think by now medical device companies would have learned a lesson about electronic security on medical devices.
Experts warn they haven't.
The FDA allows network enabled medical devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks.The increased use of wireless technology and software in medical devices can improve health care and increase the ability of health care providers to effectively track and treat their patients, but it also increases the potential dangers of cybersecurity threats.
Technologically advanced medical devices, like any other device that relies on a computer network, can be vulnerable to security breaches. Unlike security breaches that impact people’s data, privacy, or finances, outside interference of medical devices is particularly frightening as it can impact the health and safety of a patient or even multiple patients.
Cybersecurity vulnerabilities are difficult to study, but a recent anonymous survey of executives from some of the largest medical device vendors and provider organizations shows that anywhere from 100 to 1000 patients have been harmed in some way due to “an unreported adverse event associated with a medical device cybersecurity vulnerability”.
Yet 20% percent of the survey respondents did not implement any new policies based on the FDA’s cybersecurity guidance, which includes guidelines for meeting mandatory system quality regulations. The same percentage said they don’t plan to implement any new policies. Eight in ten respondents said medical cybersecurity risks are higher than the media perceives them to be.
As hackers learn more about taking advantage of historically lax security on embedded medical devices, defending these instruments has taken on a new level of urgency. There's not only the need to protect patients so that attackers can’t, for example, hack an insulin pump to administer a fatal dose, but also the fact that these vulnerable medical devices are generally connected to a huge array of sensors and monitors which in turn creates a potential entry point to the entire hospital network. This can easily lead to theft of sensitive medical records, or devastating ransomware attacks in which vital systems can be “held hostage” until hospital administrators pay up.
More than 36,000 healthcare-related items in the US alone are easily discoverable on a well known search engine for connected devices, according to another survey by Miami-based Trend Micro. Not all are necessarily vulnerable to attack, but since they are publicly exposed, they are not hard for attackers to target. Research also shows that a non-trivial portion of exposed healthcare systems still use outdated operating systems, which can make them vulnerable. For example, 3 percent of exposed devices still used Windows XP, the retired Microsoft operating system that no longer receives security updates.
The diversity of device types and the lack of concern for security in the early days of networked devices often leaves them easily compromised. Currently, an exploit known as MedJack, in which attackers inject malware into medical devices to then fan out across a healthcare network is being used more often by cybercriminals. The data discovered in these types of attacks can be used for tax fraud or identity theft, and can even be utilized to track active drug prescriptions, enabling hackers to order unauthorized refills online to re-sell on the dark web.
Hackers are used to moving fast & evolving with technology. The medical field is not. As healthcare systems became aware of MedJack and attempted to block it, it has adopted new, more sophisticated approaches. Now they are using emulation technology to insert fake medical devices on hospital networks, impersonating things like CT scanners and intentionally using old malware to target their assaults at medical devices running outdated operating systems. These attacks frequently go undetected, as they do not impact the machines running new operating systems that have protection against this malware. And no one is thinking about a CT scanner or an MRI machine as a launchpad for a broader attack.
Addressing these risks is particularly challenging. Since the risk cannot be entirely eliminated, these threats must be monitored and managed by everyone responsible for the device, from manufacturers and hospitals to care professionals and even patients. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.
Emerald Coast Medical Association knows how important it is to keep track of trends and changes in technology as they impact the healthcare field. We value the potential of technology to spread information and bring us together, but we also value the strength and ability of the human network. Our individual members each bring their unique skill set to the group, adding to the potential and knowledge base of the ECMA as a whole. What could you add to our network? We welcome the chance to find out.
ECMA Members have exclusive access to cyber insurance protection through our insurance partner.
Click below to learn more about membership benefits or our Cyber Insurance Protection.