Healthcare system and patient cyberattacks continue to increase significantly, exposing vulnerabilities in information technology and network-connected diagnostic equipment. In fact, a report published by NetScout1, shows that attacks on hospitals and physicians’ offices increased as much as 1,400% from 2017 to 2018 as cybercriminals continue to find success exploiting internal healthcare networks.
Besides more network data breaches, the ever-increasing number of network-connected bedside medical devices poses the potential of direct harm to patients. The increased reliance on information technology to run operations and diagnostic equipment has exposed the vulnerability of hospital networks to hackers and malicious operators.
Recent cyberattacks on healthcare systems have resulted in the shutdown of entire networks disrupting critical infrastructure and the functioning of diagnostic equipment. The May 2017 WannaCry hack illustrates how ransomware can impact healthcare organizations, and continues to do so. At least two years after the 2017 WannaCry attack, 40% of healthcare organizations suffered an additional WannaCry attack according to internet of things security provider Armis.2 Armis attributes this to the large number of older or unmanaged devices among healthcare organizations, which are difficult to patch due to operational complexities. According to Armis, WannaCry clearly demonstrates the frightening potential that unpatched vulnerabilities have on such devices
In June 2017, the U.S. Health Care Industry Cybersecurity Task Force published its report stating that healthcare cybersecurity was a key public health concern that needed immediate and aggressive attention.3 With the increasing reliance on information technology, patient safety and care could be jeopardized if IT and networked medical device vulnerabilities are not addressed. The report references an advisory released by Cyber Infrastructure on the known cyber vulnerabilities of one legacy (older) medication dispensing system (Pyxis SupplyStation) – a legacy system with more than 1,400 vulnerabilities.4
Against this backdrop, medical devices with known cyber vulnerabilities will continue to be exploited by cybercriminals. Hackers may not only recover patient health information, but they can also “weaponize” medical devices to cause direct patient harm.
Medical Device Cyber Risk
Any medical device connected to the internet is at risk of a cyberattack, and devices that receive and transmit data are the most vulnerable. However, according to the U.S. Food and Drug Administration (FDA) understanding the magnitude of a device’s vulnerability may only become known after the5:
- Device is more widely distributed and used (e.g., in-home)
- Patient population using the device is more diverse
- Device is used by a broader range of clinicians
Further, ineffective and lack of stringent security features in legacy IT hardware and software has been exposed by cyberattacks (such as WannaCry) and security researchers.
Some wirelessly capable network-connected devices, which receive and transmit sensitive patient information, have already been breached by security researchers. Other devices are being evaluated, too, as the potential is there. Medical devices with known security vulnerabilities include pacemakers, drug infusion pumps, MRI systems, internal cardiac defibrillators and hospital networks. There is tension among clinicians who want access to patient data in real-time to make clinical decisions, such as issuing therapeutic commands, which can have an impact on patient outcomes.
Exploring Connected Medical Device Risk
The FDA recalled almost half a million specific implantable Accent MRI pacemakers made by Abbott (formerly St. Jude Medical) in August 2017. MedSec6, a medical device research firm, discovered the cyber weaknesses through its penetration testing services (break-and-enter hacking) that lives could be endangered by remotely causing the batteries in pacemakers to go flat or forcing the life-saving devices to run at potentially deadly speeds.
To ensure security, patients needed to go to hospitals and clinics to have medical staff update their firmware to patch security holes. While no invasive surgery was needed, the update could only be installed by trained medical staff. For every patient with a pacemaker, the risk of possible hacking must be balanced against the benefit of remote monitoring.
Any pacemakers with connectivity can potentially be hacked. While there have been no reported cases of malicious intent so far, security enhancements for pacemakers and other implantable devices are being addressed by manufacturers and regulatory authorities through firmware updates.
Medication Infusion Pumps
Medication infusion pumps are used to deliver high-hazard medications such as narcotics, insulin and chemotherapy in accordance with pre-programmed pump settings. In September 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)7 identified security vulnerabilities in a number of Medfusion 4000 Wireless Syringe Infusion Pumps, which are used worldwide. Eight security vulnerabilities were found that could allow a remote hacker to exploit the intended operation of a pump including the administration of a fatal overdose of medication.
Some of the specific high-severity security flaws identified:
- The use of hard-coded credentials (usernames and passwords)
- Authentication gaps
- Certification validation issues
The WannaCry ransomware attack of 2017 infected the Bayer Medrad medical device that injects a contrast agent to a patient. This is the first known instance of ransomware directly affecting a medical device in the U.S. When Bayer was notified of the hack, it sent out a Microsoft patch for the imaging equipment and all of its other Windows-based devices.
Because the infected machines stopped working, there was no direct clinical harm to patients. A service disruption of 24 hours in device availability can result in the inability of a hospital to deliver time-sensitive care (such as for stroke patients), the delivery of suboptimal treatment, and/or an increase in resource needs.
Managing Cybersecurity Threats and Protecting Patients
The medical device industry is driven by fast-paced and continued innovation and evolution of its products. The continued improvement and creation of new devices to optimize clinical care comes with increased cybersecurity risks to both healthcare networks and systems, and potential harm to patients. Although newer generations of medical devices have more robust security features, legacy devices operating in hospitals may be entirely unsecured. Wirelessly capable medical devices that connect wirelessly to other equipment can be compromised.
For those charged with managing cybersecurity threats, the U.S. Department of Health and Human Services’ industry guidance8 might be a useful starting point for healthcare organizations to both understand cybersecurity risks and to implement basic cybersecurity practices to thwart the risk. Four volumes are part of the guidance:
1. The Main Document
2. A technical volume of cybersecurity practices for small healthcare organizations
3. A technical volume of cybersecurity practices for medium and large healthcare organizations
4. A resources and templates volume
The volumes take the reader from generic information of cybersecurity in the main volume to technical volumes with specific practices for healthcare organizations based on their size, complexity and type.
1NetScout Systems Inc. (2019). Dawn of the Terrorbit Era – Findings from the Second Half of 2018. Retrieved at https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report %202H%202018.pdf
2Armis, Inc. Two Years In: WannaCry Still Unmanageable. https://armis.com/wannacry/
3Department of Health and Human Services (HHS). 2017). Report On Improving Cybersecurity In The Health Care Industry. retrieved from https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
4US Department of Homeland Security, Cyber Infrastructure (CISA). (2016, rev. 2017). Advisory (ICSMA-16-089- 01) CareFusion Pyxis SupplyStation System Vulnerabilities. Retrieved from https://ics-cert.us-cert.gov/advisories/ICSMA-16-089 -01
5FDA. (April 2018). Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. Retrieved from https://www.fda.gov/media/112497/download
6FDA, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication; August 29, 2017, retrieved from https://www.fda.gov/medical- devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude- medicals
7CISA. (2017). Medical Advisory (ICSMA-17-250-02A), Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities (Update A). Retrieved from https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A
8Department of Health and Human Services. (2017). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved at https://www.phe.gov/Preparedness/planning/405d/Pages/default.aspx-508.pdf