Growing Healthcare Cybersecurity Concerns Center on Connected Medical Devices
Growing Healthcare Cybersecurity Concerns Center on Connected Medical Devices
Healthcare system and patient cyberattacks continue to increase significantly, exposing vulnerabilities in information technology and network-connected diagnostic equipment. In fact, a report published by NetScout[1], shows that attacks on hospitals and physicians’ offices increased as much as 1,400% from 2017 to 2018 as cybercriminals continue to find success exploiting internal healthcare networks.
Besides more network data breaches, the ever-increasing number of network-connected bedside medical devices poses the potential of direct harm to patients. The increased reliance on information technology to run operations and diagnostic equipment has exposed the vulnerability of hospital networks to hackers and malicious operators. Recent cyberattacks on healthcare systems have resulted in the shutdown of entire networks disrupting critical infrastructure and the functioning of diagnostic equipment. The May 2017 WannaCry hack illustrates how ransomware can impact a national healthcare system – the hack froze one-third of NHS hospital trust facilities’ computers, crippling their information systems. Patient appointments and surgeries had to be cancelled, physicians were unable to receive lab reports, and patient care was disrupted.
No patient deaths were attributed to the hack, but the systemwide impacts underscored the need to upgrade the cyber resilience of local NHS infrastructure. Prior to the WannaCry attack, NHS Digital had conducted onsite assessments of approximately one-third of the hospital trusts – none passed – according to the report[2] released on the investigation into NHS’s response to the attack.
In June 2017 the Health Care Industry Cybersecurity Task Force (U.S.) published its report stating that healthcare cybersecurity was a key public health concern that needed immediate and aggressive attention[3]. With the increasing reliance on information technology, patient safety and care could be jeopardized if IT and networked medical device vulnerabilities are not addressed. The report references an advisory released by Cyber Infrastructure on the known cyber vulnerabilities of one legacy (older) medication dispensing system (Pyxis SupplyStation) – a legacy system with more than 1,400 vulnerabilities[4].
Against this backdrop, medical devices with known cyber vulnerabilities will continue to be exploited by cybercriminals. Hackers may not only recover patient health information, but they can also “weaponize” medical devices to cause direct patient harm.
Medical Device Cyber Risk
Any medical device connected to the internet is at risk of a cyberattack, and devices that receive and transmit data are the most vulnerable. However, according to the U.S. Food and Drug Administration (FDA) understanding the magnitude of a device’s vulnerability may only become known after the[5]:
- Device is more widely distributed and used (e.g., in-home)
- Patient population using the device is more diverse
- Device is used by a broader range of clinicians
Further, ineffective and lack of stringent security features in legacy IT hardware and software has been exposed by cyberattacks (such as WannaCry) and security researchers.
Some wireless capable network-connected devices, which receive and transmit sensitive patient information, have already been breached by security researchers. Other devices are being evaluated, too, as the potential is there. Medical devices with known security vulnerabilities include: pacemakers, drug infusion pumps, MRI systems, internal cardiac defibrillators and hospital networks. There is a tension among clinicians who want access to patient data in real-time to make clinical decisions, such as issuing therapeutic commands, which can impact on patient outcomes.
Exploring Connected Medical Device Risk
Implanted Pacemakers:
The FDA recalled almost half a million specific implantable Accent MRI pacemakers made by Abbott (formerly St. Jude Medical) in August 2017[6]. MedSec, a medical device research firm, discovered the cyber weaknesses through its penetration testing services (break-and-enter hacking) that lives could be endangered by remotely causing the batteries in pacemakers to go flat or forcing the life-saving devices to run at potentially deadly speeds.
To ensure security, patients needed to go to hospitals and clinics to have medical staff update their firmware to patch security holes. While no invasive surgery was needed, the update could only be installed by trained medical staff. For every patient with a pacemaker, the risk of possible hacking must be balanced against the benefit of remote monitoring.
Any pacemakers with connectivity can potentially be hacked. While there have been no reported cases of malicious intent so far, security enhancements for pacemakers and other implantable devices are being addressed by manufacturers and regulatory authorities through firmware updates.
Medication Infusion Pumps
Medication infusion pumps are used to deliver high-hazard medications such as narcotics, insulin and chemotherapy in accordance with pre-programmed pump settings. In September 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)[7] identified security vulnerabilities in a number of Medfusion 4000 Wireless Syringe Infusion Pumps, which are used worldwide. Eight security vulnerabilities were found that could allow a remote hacker to exploit the intended operation of a pump including the administration of a fatal overdose of medication.
Some of the specific high-severity security flaws identified:
- The use of hard-coded credentials (usernames and passwords)
- Authentication gaps
- Certification validation issues
MRI Systems
The WannaCry ransomware attack of 2017 infected the Bayer Medrad medical device that injects a contrast agent to a patient. This is the first known instance of ransomware directly affecting a medical device in the U.S. When Bayer was notified of the hack, it sent out a Microsoft patch for the imaging equipment and all of its other Windows-based devices.
Because the infected machines stopped working, there was no direct clinical harm to patients. A service disruption of 24 hours in device availability can result in the inability of a hospital to deliver time-sensitive care (such as for stroke patients), the delivery of suboptimal treatment, and/or an increase in resource needs.
Implantable Cardiac Defibrillators (ICDs)
When an ICD is implanted in a patient, it has the ability to deliver a high-voltage electric charge to the heart to shock it out of an abnormal and potentially lethal rhythm (ventricular tachycardia) and restore a normal heart rhythm. In 2008, the University of Washington cybersecurity research found that the Medtronic Maximo’s tiny radio could be penetrated by a hacker with an oscilloscope, a computer, a wireless radio, or some free software[8].
While an ICD radio allows clinicians to adjust the device’s programming, it also makes these devices vulnerable. Because the ICD’s radio signal is not encrypted, a hacker can maliciously reconfigure ICD so that it fails to shock an abnormal cardiac rhythm or delivers a shock when the heart is beating normally. A report issued by CISA[9] warned that a number of devices and versions of Medtronic devices (including Maximo) using the Conexus telemetry system all have cyber vulnerabilities that can be exploited and affect the devices’ memory. Among the mitigation strategies Medtronic suggests include not connecting unapproved devices into home monitors and programmers through USB ports and other connections. Medtronic is developing additional mitigation for the devices.
Although there have been no reports of direct patient related deaths to these vulnerabilities, cybersecurity researchers suggest the potential for significant patient harm exists.
Managing Cybersecurity Threats and Protecting Patients
The medical device industry is driven by fast-paced and continued innovation and evolution of its products. The continued improvement and creation of new devices to optimize clinical care comes with increased cybersecurity risks to both healthcare networks and systems, and potential harm to patients. Although newer generations of medical devices have more robust security features, legacy devices operating in hospitals may be entirely unsecured. Wireless capable medical devices that connect wirelessly to other equipment can be compromised.
For those charged with managing cybersecurity threats, the U.S. Department of Health and Human Services’ industry guidance[10] might be a useful starting point for healthcare organizations to both understand cybersecurity risks and to implement basic cybersecurity practices to thwart the risk. Four volumes are part of the guidance:
1. The Main Document
2. A technical volume of cybersecurity practices for small healthcare organizations
3. A technical volume of cybersecurity practices for medium and large healthcare organizations
4. A resources and templates volume
The volumes take the reader from generic information of cybersecurity in the main volume to technical volumes with specific practices for healthcare organizations based on their size, complexity and type.
[1] NetScout Systems Inc. (2019). Dawn of the Terrorbit Era – Findings from the Second Half of 2018. Retrieved at https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf
[2] National Audit Office (UK). (2018). Investigation: WannaCry cyber attack and the NHS. Retrieved from https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf
[3] Department of Health and Human Services (HHS). 2017). Report On Improving Cybersecurity In The Health Care Industry. retrieved from https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
[4] US Department of Homeland Security, Cyber Infrastructure (CISA). (2016, rev. 2017). Advisory (ICSMA-16-089-01)
CareFusion Pyxis SupplyStation System Vulnerabilities. Retrieved from https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01.
[5] FDA. (April 2018). Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. Retrieved from https://www.fda.gov/media/112497/download
[6] FDA, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication; August 29, 2017.
[7] CISA. (2017). Medical Advisory (ICSMA-17-250-02A), Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities (Update A). Retrieved from https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A
[8] NY Times. (2008). A Heart Device Is Found Vulnerable to Hacker Attacks. Retrieved at https://www.nytimes.com/2008/03/12/business/12heart-web.html
[9] CISA. (2019). Medical Advisory (ICSMA-19-080-01), Medtronic Conexus Radio Frequency Telemetry Protocol. Retrieved at https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01.
[10] Department of Health and Human Services. (2017). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.