Hacking healthcare: Would we know if a medical device was hacked?

How would we know if medical devices had been hacked?

The FDA has made medical device cybersecurity a high priority, even as it stresses that there have been no reported incidents of malicious medical device hacks or of patients harmed by a security-related issue.

But that assurance is based more on assumption than fact, experts say. And other evidence gathered in real-world healthcare environments suggests that the lack of cybersecurity reports at the FDA is more suspicious than comforting.

"I think we’re making a reasonable assumption that [malicious hacking] hasn’t happened, but it’s not based on any empirical evidence one way or the other," Codenomicon medical security global director Mike Ahmadi told MassDevice.com in an in-depth interview. "It may have happened."

Experts like Ahmadi, whose company is helping to provide the tools for the FDA’s newly announced "cybersecurity lab," temper their remarks by explaining that the risks of a medical device hack pale in comparison to the devices’ life-saving benefits. But they also want patients to be aware of the risks, however small they may prove to be.

"I hear this argument all the time, from vendors especially, that it hasn’t happened yet, that it isn’t really a security concern," medical device hacker and cybersecurity expert Jay Radcliffe told us after his recent presentation at the Black Hat cybersecurity conference in Las Vegas. "Does that mean we should just ignore it?"

Absence of evidence is not evidence of absence

Researchers have warned that the FDA’s adverse event databases are suspiciously lacking in cybersecurity issues, while reports from other healthcare systems suggest that malware infections are all but ubiquitous. During a period of time in which FDA’s recall and adverse events databases contained zero software security issues, the U.S. Veterans Affairs Dept. was reporting an average of more than 70 incidents each year.

In a study published last summer, Massachusetts researchers examined the FDA’s publicly available databases for signs of privacy- or security-related reports, finding that "the FDA recall database did not yield any recalls related to patient security or privacy over a 9-year period of analysis." The study also examined the FDA’s MAUDE adverse event database, finding a similar void.

"We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device. The reality of it is it can be done. And we need to protect people against that" – Codenomicon’s Mike Ahmadi

"While the lack of any security or privacy concerns through these 2 mechanisms may be reassuring, it seems more likely that the current recall classification scheme does not adequately capture device malfunctions of this type," according to the study.

The FDA’s apparent lack of medtech security data also contrasts heavily with trends reported by the VA’s Office of Information Security, which maintains statistics on malware infections for more than 150 agency medical centers. In a 2-year period, between January 2009 and December 2011, the VA office reported 142 separate incidents affecting 207 medical devices. Infected devices included radiology systems, cardiology imaging, the GI lab and more. In at least 1 incident, patients had to be transported to a different clinic because a malware infection took necessary devices out of commission.

Experiences at VA hospitals are especially telling, because the veterans agency is considered 1 of the most forward-thinking on the issue of healthcare cybersecurity. The VA is an important bellwether for healthcare data management, in part because it’s required by mandate to maintain certain security standards and partly because VA officials are liable to Congress when things go wrong.

"If you want to identify an organization as being the most forward-thinking, the most innovative and the most proactive enterprises in the country regarding medical devices and security and safety, [it’s] the VA," Medical Device Innovation, Safety & Security Consortium co-founder and executive director Dr. Dale Nordenberg told us. "I just can’t emphasize enough the difference they’re going to make in terms of the lives of people in this country."

Read more: Medical device cybersecurity tools in the real world

The prevalence of software security issues reported at VA hospitals prompts a question: Why aren’t similar trends cropping up in the FDA’s data? It may be in part because the FDA’s databases aren’t structured to look for them and in part because device users may not know how to identify cybersecurity issues when they occur.

"We believe that the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," according to the Massachusetts researchers. "To detect a security or privacy problem that could harm patients, a more effective information sharing system for medical device cybersecurity should be established."

Radcliffe, who burst onto the medical device cybersecurity scene when he hacked his own insulin pump live on stage during a Black Hat presentation, has also raised concerns about the FDA’s adverse event reporting system, warning that real problems may be obscured by hundreds, if not thousands, of unhelpful reports that are all lumped together.

"I can look through those experiences … and look for bugs – sort of," Radcliffe told MassDevice.com after his Las Vegas presentation, in which he warned of a "flaw" in a Johnson & Johnson (NYSE:JNJ) insulin pump (J&J told us that the "flaw" is in fact a deliberate design feature). "But there are so many of them, there are so many dropped-in-the-toilet stories, or, ‘I put the battery in backwards and it didn’t work.’ It’s hard to find substance in a lot of that. It’s literally looking for a needle in a haystack."

Interrogating the machine

The missing link might be found by examining a patient’s medical device, either after an adverse event or post-mortem, to determine whether there was any sort of anomaly that could indicate foul play. But many devices on the market today don’t maintain the internal record-keeping that could record malicious hacking, or demonstrate definitively that there was none involved.

Read more of MassDevice.com’s coverage of medical device cybersecurity and hacking

"Implanted devices by and large do not log; many medical devices don’t have any logging whatsoever," Codenomicon’s Ahmadi told us. "We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device."

Codenomicon is helping integrate testing tools to make sure new devices can maintain data security and integrity when faced with some common penetration methods for the FDA’s cybersecurity project. The lab marks the FDA’s most recent foray into medical device cybersecurity oversight, following an agency statement issued earlier this year asking medical device makers to begin documenting their security efforts.

The new lab marks a huge stride forward in medical device security oversight, but it’s also an uncertain one. The FDA hasn’t really outlined what the lab will do or whether the agency plans to routinely test new devices.

"While I think the FDA opening a cybersecurity lab is particularly wonderful of them, the FDA is not stating that they’re going to test these products," Ahmadi noted. "So what does that mean?"

What is the risk, really?

Although cybersecurity researchers are adamant that healthcare technologies need stronger defenses, they don’t minimize the value that medical devices offer to patients. Even with security concerns, the benefits far outweigh the risks, Radcliffe said.

"One of the things that I’m very careful about saying is that if you have a child or if you wear 1 of these devices, keep wearing it. It is safe," Radcliffe said. "Now, are there concerns? Yes. But you know that your credit card can get stolen when you shop on Amazon. There’s a risk to that, but you still shop at Amazon."

Rather than scaring patients away from medical devices, Radcliffe hopes to raise awareness so that consumers can make more informed choices about their healthcare. He likened the issue to a variety of potentially risky daily choices that people face, including the risk of getting into a car accident each time you get behind the wheel or the risk of having your identity stolen when you hand over your credit card at a restaurant.

“If you have a child or if you wear one of these devices, keep wearing it. It is safe.” – Jay Radcliffe

"You’re aware of that risk, you can make a decision," Radcliffe said. "You’re aware that there are some concerns with medical devices, so you’re going to be more careful with them. It’s not a perfect thing. Just like a computer, it’s not perfect, so you’re going to be a little cautious about it."

Security ahead of the curve

Ahmadi and Radcliffe both hope to see companies more actively defend their devices by finding and patching vulnerabilities before the "bad guys" can get their hands on them. Budgets are tight and medical devices already face a barrage of regulatory concerns before they hit the market, Ahmadi conceded, but security is an ever-increasing issue and the medtech industry would do well to stay a few steps ahead.

Some companies have made strides in building robust security into their devices, but few are talking about the issue in the public.

"I would love organizations to take a more proactive approach, and some of them do take a very proactive approach," Ahmadi told us. "Intuitive Surgical (NSDQ:ISRG), which is one of our biggest customers, is extremely proactive. No one has ever attacked them, but they are doing an absolutely amazing job – even though no one’s forcing them to."

Other industry leaders, such as Medtronic (NYSE:MDT), have also made cybersecurity an important imperative for new generations of devices. CEO Omar Ishrak told MassDevice.com that security was a “high priority” for the pure-play medical device giant.

"It’s something that we’re working on and at the same time we’re cognizant that we need to work with others," Ishrak told us when we caught up with him at a conference last fall. "There’s a lot of innovation in this area, a lot of fast-moving innovation, and we just need to be on top of the dynamics."

The Medical Device Innovation, Safety & Security Consortium plans next month to release a pair of pilot programs that will provide medical device makers a set of shared cybersecurity guidelines and give healthcare providers a tool that allows them to assess and compare the cybersecurity capabilities of medical devices before they buy them. MDISS operates partly on the premise that pretty much all networked technology, including medical technology, is hackable and therefore at risk, but also emphasizes that healthcare systems are willing to pay for more security.

With so many security experts warning that it’s just a matter of time before medical device hacks move from theory to reality, Ahmadi hopes that security will out-pace crime, but he’s not always optimistic.

"The problem in terms of medical device security is going to get worse before it gets better," he lamented. "What we’re really talking about is criminal activities, we’re talking about somebody maliciously going after someone who’s weaker and using a life-saving device as a weapon against them.

"The reality of it is it can be done. And we need to protect people against that."

RSS From Medical Design & Outsourcing

  • GlobTek presents its latest level VI AC/DC adapter and connverter
    T-43086-WWVV-X.X-Q Model is an addition to GlobTek’s Level VI compliant GT-43086 family and represents GlobTek’s 6 Watt wall plug-in series of AC/DC adapters (power supplies and chargers) with International Interchangeable blades. GlobTek’s changeable input blade system with individual field replaceable input plugs, including: North America and Japan NEMA 1-15P, Australian, UK BS 1363, European CEE […]
  • Sanmina’s familiarity with FDA gets skin treatment product to market fast
    The medical market for cosmetic devices is booming. However, quickly launching new products to meet demand is becoming more challenging because device manufactures face increased regulatory scrutiny. To help meet regulatory requirements, aesthetic and other medical-device OEMs are partnering with electronics manufacturing services (EMS) companies that also offer expertise with the FDA filings necessary to […]
  • Fluid connectors and quick disconnects for IVD equipment from CPC
    Colder Products Company (CPC) offers thousands of tubing connectors, quick disconnects and fittings for smart fluid handling in IVD and analytical equipment. Non-spill connectors speed testing throughput by eliminating drips, preventing air inclusion and increasing operator safety. Panel mount connectors can be added to existing equipment or bottle caps to provide secure, leak-free connections. Puncture […]
  • 310 Watt desktop medical power supply meets efficiency level VI requirements
    Power Partners releases a new 310 Watt medical grade desktop power supply from their PEAMD Series of AC and DC adapters. The 310 Watt unit is packed for ideal performance inside a compact case measuring 7.8 x 4 x 2 in. with a weight of only 3 lbs. The PEAMD310 Series is approved to the latest […]
  • Saelig introduces Multiple Instrument System MIS4 universal test system
    Saelig Company has introduced the ABI Electronics’ Multiple Instrument Station MIS4, an all-in-one testing tool that provides all commonly required test instruments in one compact programmable hardware module, mounted in a compact case or installed in a PC-drive bay. Controlled by ABI’s sophisticated SYSTEM 8 Ultimate PC software with a simple yet programmable operator interface, […]
  • AssurX announces document management software update for small to mid-size companies in FDA regulated industries
    AssurX, an enterprise quality management, risk and regulatory compliance solution provider, announces the release of the latest update to their AssurX document management software. The document management solution provides a cost-effective solution for small to medium sized companies faced with streamlined operations and is fully compliant for FDA regulated industries. Ideal solution for small to […]
  • Saelig presents new Amplicon Impact-R 1100F series computer
    Saelig Company announces the Amplicon Impact-R 1100F series, a fanless system powered by the Intel ATOM D2550 processor. Configured with a high performance 2.5 in. MLC Solid State Drive (SSD), the Impact-R 1100F series is a silent controller system. With options for multiple serial communication ports, the Impact-R 1100F can offer up seven DB9 connections […]
  • Gerresheimer to acquire Centor
    Gerresheimer AG, a partner to the global pharmacy and healthcare industry, will further extend its pharmaceutical packaging business with the acquisition of Centor. Gerresheimer has reached an agreement with Nemera Development S.A. to acquire 100% of the share capital of Centor US Holding. “Centor is the highly profitable market leader for plastic vials and closures in […]
  • Methods Machine Tools presents the new Nakamura-Tome NTRX-300
    Methods Machine Tools, a developer of precision machine tools and automation, has introduced the new Nakamura-Tome NTRX-300, a multitasking turning center featuring complete parts machining in one operation, with a built-in load and unload automation system and advanced operator recognition management software. The NTRX-300 features true opposing twin spindles: an 8 in. A2-6 25 HP or […]
  • MSC Apex Diamond Python and Smart Midsurface speeds modeling to validation
    MSC Software announced a new release of MSC Apex, the company’s award-winning next generation Computer Aided Engineering (CAE) platform. The MSC Apex Diamond Python release introduces: · The fourth release of MSC Apex Modeler is a CAE Specific direct modeling and meshing solution that streamlines CAD clean-up, simplification and meshing workflow. New in this release is […]
  • Quality Metrics: FDA’s plan for a key set of measurements to help ensure manufacturers are producing quality medications
    Editor’s Note: This article is written by Ashley Boam and Mary Malarkey from the “FDA Voice” blog. Boam is an FDA’s acting Director of the Office of Policy for Pharmaceutical Quality, the Office of Pharmaceutical Quality and the Center for Drug Evaluation and Research. Malarkey is an FDA’s Director if the Office of Compliance and Biologics Quality […]

Leave a Reply