Computer hackers have already hijacked medical targets, including MRI machines, electronic medical records systems and even a patient-support website for epileptics. Researchers writing in the New England Journal of Medicine are calling for improvements to the security and privacy of implantable medical devices.
Dr. William Maisel, a well-known cardiologist, and Tadayoshi Kohno of the University of Washington in Seattle, compared the current state of medical device security to the pharmaceutical supply chain in the early ’80s in the April 2 issue of the NEJM. Citing the 1982 cyanide poisoning of Tylenol, which killed seven people, Maisel and Kohno wrote that medical devices “like the drug supply of a generation ago, face a security vulnerability that must be addressed through regulatory and scientific actions.”
“We think medical device security should be improved before there is a widespread incident, rather than waiting for the incident to occur and then acting,” Maisel wrote in an e-mail to MedPage Today. “It is very difficult to add on security after the fact.”
Last year, a computer virus called Conficker infected hundreds of MRI devices around the world, including at dozens of U.S. hospitals. The virus caused the imaging machines to ask for instructions over the Internet, presumably from the hackers who created the virus. More than 300 devices, which the manufacturer says are not designed to connect to the web at all, were compromised via an unpatched version of a Microsoft operating system used in embedded devices.
The Food & Drug Administration may have inadvertently contributed to the hack. Normally, a simple patch installation would eliminate the vulnerability. But FDA rules require 90 days of notice before patches are installed. The Conficker virus infected thousands of other machines in hospitals — ranging from personal computers to sensitive medical devices.
In a separate incident last year, hackers claiming to have tapped a Virginia medical records database are demanding a $10 million ransom. The data were part of a program to track frequently abused drugs such as OxyContin and Vicodin. Hackers sabotaged an Epilepsy Foundation website, according to Maisel and Kohno, causing it to display flashing lights that induced seizures in some patients.
The researchers called for changes to the pre-market approval process for implantable devices (paid) to guard against hackers. Devices ranging from cochlear implants to defibrillators could be vulnerable to attacks designed to re-program them, extract data or render the devices unable to communicate. Many devices are in constant communication with physicians’ offices, hospitals and manufacturers, each of which represents a potential point of entry for hackers.
Before the FDA clears devices for the marketplace, Maisel and Kohno wrote, the federal watchdog agency run a risk-based security assessment according to the perceived threat and the device’s function. Low-risk products with “nonessential” functions — cochlear implants, implantable heart monitors — might require only data validation and user authentication. But devices with life-sustaining functions — insulin pumps, pacemakers and defibrillators — would require additional safeguards, such as the “inclusion of redundant security features and rigorous testing and verification of security properties.”
Ideally, security should be built into devices during the design phase, Maisel told the website. Manufacturers “should bear the primary responsibility for ensuring that their devices are secure,” he added, “we believe this would best be accomplished by convening the major stakeholders — manufacturers, regulators, computer scientists, physicians, patients — and developing security guidelines for medical devices.”