Since 2015, the FDA and the US Department of Homeland Security have been releasing warnings about products that due to their vulnerabilities threaten patient safety. This includes MRI machines and drug infusion pumps that supply patients with a wide diversity of drugs, including insulin, antibiotics, chemotherapy drugs, and pain relievers. The interconnectivity of smart devices with medical clinical systems leaves them vulnerable to security breaches just like any other networked computing system. If hackers succeed in tampering with medical devices, patient safety is at risk.
Why Are Medical Devices Vulnerable?
Because updating equipment can be complicated with long delays before receiving patches and finding a convenient time to apply them, many hospitals are still running legacy operating systems that are no longer supported. Many medical devices have since been retrofitted so they can be networked, enabling data sharing in real-time with relevant systems for process automation and the ability to be managed remotely by vendors. If a product is no longer receiving updates for known vulnerabilities, it could provide an entry or pivot point into a healthcare provider’s network putting patient safety and service availability at risk.
Connected devices can also be adversely affected as a result of a hacker intruding into a hospital’s internal computer network to steal sensitive patient data. WannaCry, a ransomware worm that resulted in more than $100 million dollars in damages and wasn’t even designed to target hospitals infected a Bayer Medrad device used to help improve the quality of magnetic resonance imaging (MRI) scans.
In addition to having a direct impact on medical devices, over 19,000 appointments needed to be rescheduled. A recent Vanderbilt study sound that was as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined following a cybersecurity attack due to delays with treatments. For example, the researchers found that it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram following cybersecurity attacks.
The risk is real and increasing all the time. Recently there were two FDA reports of devices presenting potential harm including Medtronic MiniMed™ insulin pumps, and telemetry technology used for communications between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors that provide pacing for heart rhythms. Other vulnerabilities reported include Urgent/11 running on VX Works, EternalBlue running on Microsoft, NotPetya based on the same EternalBlue package as WannaCry, Sodinokibi malware running on Microsoft Win 7-10, and SACK Panic that resides in the TCP stack of the Linux kernels.
In many cases, even a simple hacking into a hospital’s internal IT network can negatively impact medical device operations because they are so vulnerable. Hacking into a medical device doesn’t require sophisticated software or specialized expertise. Two Austrian patients managed to tamper with their own infusion pumps to increase their dosage of morphine.
Lack of Transparency
Not all device-related malfunctions are reported, so it’s difficult to know the full impact of malfunctioning devices on patient care. The FDA requires that device manufacturers report product defects but healthcare providers rarely effectively track their medical device performance. As a result, device problems and their root causes are often not reported after they are deployed.
In addition, the FDA has built and expanded a vast and hidden repository of reports on device-related injuries and malfunctions. Since 2016, at least 1.1 million incidents have flowed into the internal “alternative summary reporting” repository, instead of being described individually in the public database known as MAUDE, which medical experts trust to identify problems that could put patients in jeopardy. Without full transparency, it is impossible to know how many of these devices’ faults were potentially due to tampering with the hospital’s internal network.
Healthcare organizations also have practical challenges that can prevent full disclosure of device failures. Overworked caregivers can often yank out a malfunctioning device and replace it without going through the recommended security procedures for investing the underlying causes of the problem. Due to medical device security falling between biomedical engineering and IT departments, it can be difficult to keep track of medical devices that have malfunctioned due to a security incident. Often institutions that have transparency into the impact of malfunctioning devices are not prepared to make this information public preventing the industry from having a realistic assessment of the full impact.
There are steps healthcare organizations can take to have better visibility into medical device operations. Healthcare providers can maintain an up to date centralized repository of all their medical devices. Automated systems can poll all the devices on the network to keep the inventory complete and up to date. The role of the device in clinical workflows can be included to analyze the full impact of a device malfunctioning on patient care and the protection of personal sensitive data. In addition, the system can monitor communications between the devices on the hospital’s internal network to identify any anomalies which indicate there could be an intrusion.
Healthcare providers are becoming well aware that securing medical devices is a necessity. Only after there are clear methods and systems in place for tracking and analyzing the cause of device failures can the full extent of the risk be known. By having more visibility and better control over medical devices, health care organizations can better protect patient safety and ensure treatment continuity.
About Leon Lerman
Leon brings over a decade of experience in cybersecurity enterprise sales, channel sales, and business development to establish Cynerio as a leading vendor in the healthcare cybersecurity space. Prior to Cynerio, Leon was the director of sales at Metapacket, where he led go-to-market strategy and execution. Prior to that, Leon held sales and sales engineering positions at RSA security, helping the largest enterprises in the region to solve their security problems. Leon served as an expert intelligence officer at 8200 in the Israel Defense Forces.