Healthcare system and patient cyberattacks continue to
increase significantly, exposing vulnerabilities in information technology and
network-connected diagnostic equipment. In fact, a report published by NetScout1,
shows that attacks on hospitals and physicians’ offices increased as much as
1,400% from 2017 to 2018 as cybercriminals continue to find success exploiting
internal healthcare networks.
Besides more network data breaches, the ever-increasing
number of network-connected bedside medical devices poses the potential of
direct harm to patients. The increased reliance on information technology to
run operations and diagnostic equipment has exposed the vulnerability of
hospital networks to hackers and malicious operators.
Recent cyberattacks on healthcare systems have resulted in
the shutdown of entire networks disrupting critical infrastructure and the
functioning of diagnostic equipment. The May 2017 WannaCry hack illustrates how
ransomware can impact healthcare organizations, and continues to do so. At
least two years after the 2017 WannaCry attack, 40% of healthcare organizations
suffered an additional WannaCry attack according to internet of things security
provider Armis.2 Armis attributes this to the large number of older or
unmanaged devices among healthcare organizations, which are difficult to patch
due to operational complexities. According to Armis, WannaCry clearly
demonstrates the frightening potential that unpatched vulnerabilities have on such
In June 2017, the U.S. Health Care Industry Cybersecurity
Task Force published its report stating that healthcare cybersecurity was a key
public health concern that needed immediate and aggressive attention.3 With the
increasing reliance on information technology, patient safety and care could be
jeopardized if IT and networked medical device vulnerabilities are not
addressed. The report references an advisory released by Cyber Infrastructure
on the known cyber vulnerabilities of one legacy (older) medication dispensing
system (Pyxis SupplyStation) – a legacy system with more than 1,400
Against this backdrop, medical devices with known cyber
vulnerabilities will continue to be exploited by cybercriminals. Hackers may
not only recover patient health information, but they can also “weaponize”
medical devices to cause direct patient harm.
Medical Device Cyber Risk
Any medical device connected to the internet is at risk of a
cyberattack, and devices that receive and transmit data are the most
vulnerable. However, according to the U.S. Food and Drug Administration (FDA)
understanding the magnitude of a device’s vulnerability may only become known
Device is more widely distributed and used (e.g., in-home)
Patient population using the device is more diverse
Device is used by a broader range of clinicians
Further, ineffective and lack of stringent security features
in legacy IT hardware and software has been exposed by cyberattacks (such as
WannaCry) and security researchers.
Some wirelessly capable network-connected devices, which
receive and transmit sensitive patient information, have already been breached
by security researchers. Other devices are being evaluated, too, as the
potential is there. Medical devices with known security vulnerabilities include
pacemakers, drug infusion pumps, MRI systems, internal cardiac defibrillators
and hospital networks. There is tension among clinicians who want access to
patient data in real-time to make clinical decisions, such as issuing
therapeutic commands, which can have an impact on patient outcomes.
Exploring Connected Medical Device Risk
The FDA recalled almost half a million specific implantable
Accent MRI pacemakers made by Abbott (formerly St. Jude Medical) in August
2017. MedSec6, a medical device research firm, discovered the cyber weaknesses
through its penetration testing services (break-and-enter hacking) that lives
could be endangered by remotely causing the batteries in pacemakers to go flat
or forcing the life-saving devices to run at potentially deadly speeds.
To ensure security, patients needed to go to hospitals and
clinics to have medical staff update their firmware to patch security holes.
While no invasive surgery was needed, the update could only be installed by
trained medical staff. For every patient with a pacemaker, the risk of possible
hacking must be balanced against the benefit of remote monitoring.
Any pacemakers with connectivity can potentially be hacked.
While there have been no reported cases of malicious intent so far, security
enhancements for pacemakers and other implantable devices are being addressed
by manufacturers and regulatory authorities through firmware updates.
Medication Infusion Pumps
Medication infusion pumps are used to deliver high-hazard
medications such as narcotics, insulin and chemotherapy in accordance with
pre-programmed pump settings. In September 2017, the Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT)7 identified security vulnerabilities
in a number of Medfusion 4000 Wireless Syringe Infusion Pumps, which are used
worldwide. Eight security vulnerabilities were found that could allow a remote
hacker to exploit the intended operation of a pump including the administration
of a fatal overdose of medication.
Some of the specific high-severity security flaws identified:
The use of hard-coded credentials (usernames and passwords)
Certification validation issues
The WannaCry ransomware attack of 2017 infected the Bayer
Medrad medical device that injects a contrast agent to a patient. This is the
first known instance of ransomware directly affecting a medical device in the
U.S. When Bayer was notified of the hack, it sent out a Microsoft patch for the
imaging equipment and all of its other Windows-based devices.
Because the infected machines stopped working, there was no
direct clinical harm to patients. A service disruption of 24 hours in device
availability can result in the inability of a hospital to deliver
time-sensitive care (such as for stroke patients), the delivery of suboptimal
treatment, and/or an increase in resource needs.
Managing Cybersecurity Threats and Protecting Patients
The medical device industry is driven by fast-paced and
continued innovation and evolution of its products. The continued improvement
and creation of new devices to optimize clinical care comes with increased
cybersecurity risks to both healthcare networks and systems, and potential harm
to patients. Although newer generations of medical devices have more robust
security features, legacy devices operating in hospitals may be entirely
unsecured. Wirelessly capable medical devices that connect wirelessly to other
equipment can be compromised.
For those charged with managing cybersecurity threats, the
U.S. Department of Health and Human Services’ industry guidance8 might be a
useful starting point for healthcare organizations to both understand
cybersecurity risks and to implement basic cybersecurity practices to thwart
the risk. Four volumes are part of the guidance:
1. The Main Document
2. A technical volume of cybersecurity practices for small
3. A technical volume of cybersecurity practices for medium
and large healthcare organizations
4. A resources and templates volume
The volumes take the reader from generic information of
cybersecurity in the main volume to technical volumes with specific practices
for healthcare organizations based on their size, complexity and type.
1 NetScout Systems Inc. (2019). Dawn of the Terrorbit Era –
Findings from the Second Half of 2018. Retrieved at
2 Armis, Inc. Two Years In: WannaCry Still Unmanageable.
3 Department of Health and Human Services (HHS). 2017).
Report On Improving Cybersecurity In The Health Care Industry. retrieved from
4 US Department of Homeland Security, Cyber Infrastructure
(CISA). (2016, rev. 2017). Advisory (ICSMA-16-089- 01) CareFusion Pyxis
SupplyStation System Vulnerabilities. Retrieved from
5 FDA. (April 2018). Medical Device Safety Action Plan:
Protecting Patients, Promoting Public Health. Retrieved from
6 FDA, Firmware Update to Address Cybersecurity
Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's)
Implantable Cardiac Pacemakers: FDA Safety Communication; August 29, 2017,
retrieved from https://www.fda.gov/medical- devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-
7 CISA. (2017). Medical Advisory (ICSMA-17-250-02A), Smiths
Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities (Update
A). Retrieved from https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A
8 Department of Health and Human Services. (2017). Health
Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
Retrieved at https://www.phe.gov/Preparedness/planning/405d/Pages/default.aspx-508.pdf