It’ll take a village to ensure that medical devices are ready to face the increasingly threat-laden wireless world, speakers told a group of clinicians this week during Heart Rhythm 2014, the Heart Rhythm Society’s 35th Annual Scientific Sessions.
Medical devices are increasingly connected wirelessly with smartphones, websites and other healthcare systems, creating new "threat surfaces" for criminals interested in probing the devices for information or for sport.
Recent studies have found many technologies woefully lacking in even basic digital security measures and federal studies have warned that medical device may be of increasing interest to malicious hackers, especially if they’re connected with hospital systems that store patient information that they can sell on black markets.
Representatives from the medical device industry and the FDA urged care providers to get involved with efforts to promote healthcare cybersecurity. In addition to engaging in safer practices in hospitals (no more passwords written on sticky-notes attached to workstations), doctors and nurses can promote cybersecurity by asking the right questions from device makers and helping patients understand how vulnerabilities might impact their devices or care.
The issue has been brewing quietly since 2008, making headlines in more recent years as so-called "white hat" ethical hackers/researchers revealed vulnerabilities in insulin pumps and other hospital systems. Cybersecurity has become a growing concern as FDA regulators put down their thoughts last year in a draft guidance and the FBI last month warned device makers to prepare for a coming onslaught of malicious hacking.
Even though there are no reported medical device hacks outside of research settings, all the headlines haven’t have made waves with patients. Patients are asking questions about the cybersecurity standards of their devices, physicians attending the HRS session noted. Security holes may pose a small risk in medical technologies, but doctors may also face patients who put themselves at risk by refusing treatment with devices they view as insecure.
Whatever the impetus, device makers are increasingly interested in beefing up their digital security, in part because last year’s FDA initiatives made the issue unavoidable. The agency issued draft guidance in June asking manufacturers to provide cybersecurity details on new medical devices, and in August the FDA announced that it was gathering resources for a "cybersecurity lab," where regulators can take a closer look at software bugs and weaknesses in medtech systems.
"I don’t know that it is their intent, or that they have the resources to test devices as part of the approval process," Adventium Labs’ Distinguished Scientist Ken Hoyme told MassDevice.com after the presentation. "However, if an approved device has security problems that raise to the level of FDA concern, they can utilize this lab to determine whether those problems could have been found with such off-the-shelf tooling."
The FDA stopped short of recommending any particular security actions or standards, asking instead that companies simply document their efforts and submit them for review.
"Just the existence of this lab will lead to manufacturers improving security testing to avoid getting into a future situation where the FDA finds basic vulnerabilities in their device," he added.
Hoyme spoke on behalf of medical device manufacturers, representing the Assn. for the Advancement of Medical Instrumentation as co-chair of its Medical Device Security working group. His background includes a long stint at Boston Scientific (NYSE:BSX), where he was the systems lead for the LATITUDE remote patient monitoring system.
Having seen the manufacturing perspective, Hoyme is keenly aware of the balancing act that must occur when considering security needs alongside clinical utility.
"While clinical needs should not be used as an excuse to avoid providing security controls, the excessive use of strict security mechanisms may result in unintended consequences, including patient harm," he said. "The FDA draft guidance asks manufacturers to consider this balance, and specifically consider the needs of emergency access."
With remote patient monitors, for example, doctors may like the idea of having remote access to reprogram a patient’s cardiac implant so that patients don’t need to come in to the clinic. On the other hand, providing remote manipulation of implanted devices may also open up a new pathway for malicious hackers to access and control the device. Implanted devices in particular must balance implementing new security features against the impact such systems may have on battery life, while also making sure that emergency care providers can access a device should the need arise.
The sometimes precarious balancing act highlights the need for cooperation among various healthcare stakeholders to ensure that devices get the security they require without compromising the care that patients need.
Mitchell Shein of the FDA Center for Devices & Radiological Health told physicians today that they are a key part of the equation in making healthcare systems more secure.
"This is not a solution for manufacturers to come up with alone," Shein said.
No targeted medical device hacks have been reported outside of research settings, but security analysts have found that many U.S. hospitals and their medical devices have been infiltrated by malware. Many systems remain infected as hacks go undetected, according to a report released earlier this year by security research firm Norse.
Medical devices such as radiology imaging software and X-ray machines are vulnerable to attack even if they don’t contain sensitive patient information. The vast majority of networked medical devices in hospitals today have minimal security protections, and "once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls" to other systems, according to an FBI memo.
Healthcare industry security reports released over the last year put the black market value of a partial electronic health record at $50 apiece, compared with $1 for a stolen credit card or social security number. Criminals can use EHR data to file fake insurance claims, get prescription drugs and "advance identity theft," and EHR fraud takes nearly twice as long to detect than normal identity theft.
Financial gains aren’t the only reasons that attackers may target healthcare systems. The infamous and inscrutable hacker group Anonymous made recent threats against Boston Children’s Hospital, calling on internet activists to bombard the hospital’s website with a flood of traffic to disrupt its online services. The group is demanding that BCH fire one of its doctors over the controversial detainment of a pediatric patient made ward of the state.
Cyber-attacks that attempt to overload servers with a flood of requests, sometimes called "denial of service" or DoS attacks, aim to disrupt an organization’s workflow by wiping out access to cloud-based tools and resources. Programmers can insulate their systems from such attacks by ensuring that servers and devices aren’t permanently knocked out after being bombarded, but recent testing has shown that many medical devices lack such protections.
Researchers at SecureState reported last year that their penetration testing found that devices such as IV pumps and X-ray machines are vulnerable to the fairly rudimentary form of attack. Earlier last year a pair of security researchers used a DoS hack to demonstrate that a Philips (NYSE:PHG) Xper hospital management system could be infiltrated and "owned" fairly easily.