Hacking healthcare: Would we know if a medical device was hacked?

How would we know if medical devices had been hacked?

The FDA has made medical device cybersecurity a high priority, even as it stresses that there have been no reported incidents of malicious medical device hacks or of patients harmed by a security-related issue.

But that assurance is based more on assumption than fact, experts say. And other evidence gathered in real-world healthcare environments suggests that the lack of cybersecurity reports at the FDA is more suspicious than comforting.

"I think we’re making a reasonable assumption that [malicious hacking] hasn’t happened, but it’s not based on any empirical evidence one way or the other," Codenomicon medical security global director Mike Ahmadi told MassDevice.com in an in-depth interview. "It may have happened."

Experts like Ahmadi, whose company is helping to provide the tools for the FDA’s newly announced "cybersecurity lab," temper their remarks by explaining that the risks of a medical device hack pale in comparison to the devices’ life-saving benefits. But they also want patients to be aware of the risks, however small they may prove to be.

"I hear this argument all the time, from vendors especially, that it hasn’t happened yet, that it isn’t really a security concern," medical device hacker and cybersecurity expert Jay Radcliffe told us after his recent presentation at the Black Hat cybersecurity conference in Las Vegas. "Does that mean we should just ignore it?"

Absence of evidence is not evidence of absence

Researchers have warned that the FDA’s adverse event databases are suspiciously lacking in cybersecurity issues, while reports from other healthcare systems suggest that malware infections are all but ubiquitous. During a period of time in which FDA’s recall and adverse events databases contained zero software security issues, the U.S. Veterans Affairs Dept. was reporting an average of more than 70 incidents each year.

In a study published last summer, Massachusetts researchers examined the FDA’s publicly available databases for signs of privacy- or security-related reports, finding that "the FDA recall database did not yield any recalls related to patient security or privacy over a 9-year period of analysis." The study also examined the FDA’s MAUDE adverse event database, finding a similar void.

"We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device. The reality of it is it can be done. And we need to protect people against that" – Codenomicon’s Mike Ahmadi

"While the lack of any security or privacy concerns through these 2 mechanisms may be reassuring, it seems more likely that the current recall classification scheme does not adequately capture device malfunctions of this type," according to the study.

The FDA’s apparent lack of medtech security data also contrasts heavily with trends reported by the VA’s Office of Information Security, which maintains statistics on malware infections for more than 150 agency medical centers. In a 2-year period, between January 2009 and December 2011, the VA office reported 142 separate incidents affecting 207 medical devices. Infected devices included radiology systems, cardiology imaging, the GI lab and more. In at least 1 incident, patients had to be transported to a different clinic because a malware infection took necessary devices out of commission.

Experiences at VA hospitals are especially telling, because the veterans agency is considered 1 of the most forward-thinking on the issue of healthcare cybersecurity. The VA is an important bellwether for healthcare data management, in part because it’s required by mandate to maintain certain security standards and partly because VA officials are liable to Congress when things go wrong.

"If you want to identify an organization as being the most forward-thinking, the most innovative and the most proactive enterprises in the country regarding medical devices and security and safety, [it’s] the VA," Medical Device Innovation, Safety & Security Consortium co-founder and executive director Dr. Dale Nordenberg told us. "I just can’t emphasize enough the difference they’re going to make in terms of the lives of people in this country."

Read more: Medical device cybersecurity tools in the real world

The prevalence of software security issues reported at VA hospitals prompts a question: Why aren’t similar trends cropping up in the FDA’s data? It may be in part because the FDA’s databases aren’t structured to look for them and in part because device users may not know how to identify cybersecurity issues when they occur.

"We believe that the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," according to the Massachusetts researchers. "To detect a security or privacy problem that could harm patients, a more effective information sharing system for medical device cybersecurity should be established."

Radcliffe, who burst onto the medical device cybersecurity scene when he hacked his own insulin pump live on stage during a Black Hat presentation, has also raised concerns about the FDA’s adverse event reporting system, warning that real problems may be obscured by hundreds, if not thousands, of unhelpful reports that are all lumped together.

"I can look through those experiences … and look for bugs – sort of," Radcliffe told MassDevice.com after his Las Vegas presentation, in which he warned of a "flaw" in a Johnson & Johnson (NYSE:JNJ) insulin pump (J&J told us that the "flaw" is in fact a deliberate design feature). "But there are so many of them, there are so many dropped-in-the-toilet stories, or, ‘I put the battery in backwards and it didn’t work.’ It’s hard to find substance in a lot of that. It’s literally looking for a needle in a haystack."

Interrogating the machine

The missing link might be found by examining a patient’s medical device, either after an adverse event or post-mortem, to determine whether there was any sort of anomaly that could indicate foul play. But many devices on the market today don’t maintain the internal record-keeping that could record malicious hacking, or demonstrate definitively that there was none involved.

Read more of MassDevice.com’s coverage of medical device cybersecurity and hacking

"Implanted devices by and large do not log; many medical devices don’t have any logging whatsoever," Codenomicon’s Ahmadi told us. "We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device."

Codenomicon is helping integrate testing tools to make sure new devices can maintain data security and integrity when faced with some common penetration methods for the FDA’s cybersecurity project. The lab marks the FDA’s most recent foray into medical device cybersecurity oversight, following an agency statement issued earlier this year asking medical device makers to begin documenting their security efforts.

The new lab marks a huge stride forward in medical device security oversight, but it’s also an uncertain one. The FDA hasn’t really outlined what the lab will do or whether the agency plans to routinely test new devices.

"While I think the FDA opening a cybersecurity lab is particularly wonderful of them, the FDA is not stating that they’re going to test these products," Ahmadi noted. "So what does that mean?"

What is the risk, really?

Although cybersecurity researchers are adamant that healthcare technologies need stronger defenses, they don’t minimize the value that medical devices offer to patients. Even with security concerns, the benefits far outweigh the risks, Radcliffe said.

"One of the things that I’m very careful about saying is that if you have a child or if you wear 1 of these devices, keep wearing it. It is safe," Radcliffe said. "Now, are there concerns? Yes. But you know that your credit card can get stolen when you shop on Amazon. There’s a risk to that, but you still shop at Amazon."

Rather than scaring patients away from medical devices, Radcliffe hopes to raise awareness so that consumers can make more informed choices about their healthcare. He likened the issue to a variety of potentially risky daily choices that people face, including the risk of getting into a car accident each time you get behind the wheel or the risk of having your identity stolen when you hand over your credit card at a restaurant.

“If you have a child or if you wear one of these devices, keep wearing it. It is safe.” – Jay Radcliffe

"You’re aware of that risk, you can make a decision," Radcliffe said. "You’re aware that there are some concerns with medical devices, so you’re going to be more careful with them. It’s not a perfect thing. Just like a computer, it’s not perfect, so you’re going to be a little cautious about it."

Security ahead of the curve

Ahmadi and Radcliffe both hope to see companies more actively defend their devices by finding and patching vulnerabilities before the "bad guys" can get their hands on them. Budgets are tight and medical devices already face a barrage of regulatory concerns before they hit the market, Ahmadi conceded, but security is an ever-increasing issue and the medtech industry would do well to stay a few steps ahead.

Some companies have made strides in building robust security into their devices, but few are talking about the issue in the public.

"I would love organizations to take a more proactive approach, and some of them do take a very proactive approach," Ahmadi told us. "Intuitive Surgical (NSDQ:ISRG), which is one of our biggest customers, is extremely proactive. No one has ever attacked them, but they are doing an absolutely amazing job – even though no one’s forcing them to."

Other industry leaders, such as Medtronic (NYSE:MDT), have also made cybersecurity an important imperative for new generations of devices. CEO Omar Ishrak told MassDevice.com that security was a “high priority” for the pure-play medical device giant.

"It’s something that we’re working on and at the same time we’re cognizant that we need to work with others," Ishrak told us when we caught up with him at a conference last fall. "There’s a lot of innovation in this area, a lot of fast-moving innovation, and we just need to be on top of the dynamics."

The Medical Device Innovation, Safety & Security Consortium plans next month to release a pair of pilot programs that will provide medical device makers a set of shared cybersecurity guidelines and give healthcare providers a tool that allows them to assess and compare the cybersecurity capabilities of medical devices before they buy them. MDISS operates partly on the premise that pretty much all networked technology, including medical technology, is hackable and therefore at risk, but also emphasizes that healthcare systems are willing to pay for more security.

With so many security experts warning that it’s just a matter of time before medical device hacks move from theory to reality, Ahmadi hopes that security will out-pace crime, but he’s not always optimistic.

"The problem in terms of medical device security is going to get worse before it gets better," he lamented. "What we’re really talking about is criminal activities, we’re talking about somebody maliciously going after someone who’s weaker and using a life-saving device as a weapon against them.

"The reality of it is it can be done. And we need to protect people against that."

RSS From Medical Design & Outsourcing

  • BRILAMET research project brought to successful conclusion: Precision laser-cutting technique optimized for thick metal sheets
    Using lasers to cut sheet metal is something that has typically been handled in the realm of CO₂ and fiber lasers, although this may not be the case for much longer. Diode lasers are increasingly emerging as the light source of choice for a large number of applications, as can be seen from the BRILAMET […]
  • Mobidiag and Unilabs enter into agreement over use of Amplidiag product line for molecular gastrointestinal diagnostics
    Mobidiag, a Finnish molecular diagnostics company specialized in the development of innovative diagnostics solutions for infectious diseases, and Unilabs, a diagnostics service provider, announced an agreement covering the supply of Amplidiag products over the next four years for Unilabs in Sweden and Norway. The Amplidiag product line covers six diagnostic products for various gastrointestinal infections, […]
  • Quick work keeps dental implants in place among women with osteoporosis
    As natural as aging is, it can tend to feel like a downward spiral. As the years increase, bone mass and strength decrease. Teeth can fall out, and the drugs and surgery designed to return things to normal may actually make bone related issues worse. Osteoporosis is a common problem for women who have gone […]
  • Cyberdyne CEO has severed spines on his agenda
    Editor’s Note: This article is from Bloomberg.com‘s Natasha Khan. Cyberdyne Inc.’s CEO, Yoshiyuki Sankai, is researching ways to repair damaged body tissue. The 57-year-old scientist’s vision: to treat patients with spinal injuries by using stem-cell related technology to repair nerve connections and robotic suits that aid movement. Sankai’s company is setting its sights on better […]
  • Teknor Apex to showcase wide range of PVC compounds for medical devices at Medtec China
    Building on its international leadership role as a supplier of medical-grade PVC compounds, Teknor Apex Company has developed flexible and rigid formulations that address the special needs of device manufacturers. The company will highlight these capabilities at Medtec China 2015. “Teknor Apex produces or markets medical-grade PVC compounds in China, Singapore, Europe, and the United […]
  • The Raspberry Pi eco-system goes interstellar with the new Raspberry Pi Sense HAT
    Newark element14 has globally launched the latest addition to the expanding ecosystem of Raspberry Pi accessories, the Raspberry Pi Sense HAT, as featured in the ‘Astro Pi’ space mission. The Sense HAT will enable enthusiasts to control the same hardware used in space. The Sense HAT attaches to the Raspberry Pi board, and can be […]
  • CommScope completes acquisition of TE Connectivity’s Telecom
    CommScope Holding Company, has completed its previously announced acquisition of TE Connectivity’s Telecom, Enterprise and Wireless businesses, a leader in fiber optic connectivity for wireline and wireless networks. The all-cash transaction, valued at approximately $3 billion, strengthens CommScope’s position as a leading communications infrastructure provider with deeper resources to meet the world’s growing demand for network […]
  • SPI awards IKO Prosthetic Creative System the Student Design International Design Excellence Award
    SPI: The Plastics Industry Trade Association congratulated IKO Prosthetic Creative System for winning the SPI Student Design Award, part of the Industrial Designers Society of America’s (IDSA’s) International Design Excellence Awards (IDEA) program. The award was presented to IKO, an innovative, youth-focused prosthetic design company led by Chicago-based designer Carlos Torres, by SPI’s Senior Director of […]
  • New assay could revolutionize diagnosis and treatment of life-threatening disease
    Invasive Fungal Disease (IFD) is an emerging global health problem associated with high mortality rates in severely immunocompromised patients, such as those undergoing intensive chemotherapy or stem cell transplantation, and in patients suffering immune compromising conditions such as AIDS. The most common causative agents of this disease have been identified as Candida and Aspergillus species, […]
  • Molex delivers ISO 13485-compliant, medical-grade surgical cables from its class 100,000 clean room facility
    Molex, LLC operates a fully ISO 146441-1:1999 Class 8-certified clean room, satisfying strict particulate contamination levels specified by ISO-compliant requirements. Located in Thailand, the facility has less than 100,000 particulates (≥0.5µm) per cubic foot of air and manufactures a variety of ISO 13485-compliant medical cables and surgical cables used in operating theatres, hospitals, laboratories and […]
  • Swept-Source OCT: Patent license agreement between Massachusetts General Hospital and Heidelberg Engineering
    Heidelberg Engineering has entered into a patent license agreement with Massachusetts General Hospital (MGH) in Boston. The agreement grants global and exclusive rights to 77 basic patents and patent applications which relate to swept-source OCT technology and its application in ophthalmology. Spectral domain OCT has become indispensable to eye care professionals worldwide to diagnose and […]

Leave a Reply