Within the context of evolving technologies that continue to expand healthcare connectivity, Padma Gulur warns of the “immense vulnerability of current systems”. Arguing that stolen medical records supersede the value of credit card information on the black market, she outlines the cybersecurity threats to current medical devices, and the measures that are being taken to tackle these dangers.
Cybersecurity is a top priority in healthcare and involves many facets. Safeguarding healthcare information networks from penetration to damage or disruption is critical. The era of electronic medical records and the reliance on computerised lab reports and electronic patient communications have exposed healthcare to new vulnerabilities. In addition, medical devices increasingly pose unique risks when they are used for monitoring or administrating therapies to patients, or when they are implanted in the body. The risk may stem from manipulation of software applications hacked to perform malicious operations or corruption of the hardware itself through infected firmware.
Recent malware and ransomware attacks on healthcare systems—including pacemaker hacks in 2011 and the more recent ‘Wannacry’ attack that shut down the National Health System in the UK along with others across Europe and Asia—highlight the immense vulnerability of current systems.
As we strive for greater connectivity in healthcare, the flip side of the coin is increasing vulnerability. From the comfort of their couch, experienced hackers could launch a malicious attack on millions, striking people when they are most vulnerable as they seek healthcare.
Medical Information: More valuable than other forms of identity theft
Stolen medical records tend to have a higher value on the black market than stolen credit card information. Access to medical information can allow for changed lab values, altered results and fraudulent communications; the risks are endless and the consequences severe.
The medical records of children are particularly valuable. It is not uncommon to find a vendor in the USA selling kids’ social security numbers and dates of birth (known on the dark web as “fullz”), that were hacked from a paediatrician’s database.
Risk to medical devices
The cybersecurity of medical devices has increasingly become a concern to healthcare providers and patients. These devices tend to have significant vulnerabilities and susceptibilities to security threats that arise from the use of commercial, off-the-shelf software components such as operating systems, which inherit the related vulnerabilities.
Further, hospitals, clinics and physician practices are often slow to deploy upgrades and patches, compounding the issue of outdated software components that lead to security and privacy vulnerabilities.
Monitoring devices, anaesthesia machines and medication barcode systems are among the tools that can be corrupted and lead to significant patient safety issues. Drug infusion systems and diagnostic devices can lead to more direct patient harm if their functions are maliciously altered. Perhaps most concerning of all is the risk to implanted medical devices, such as implanted pacemakers, defibrillators, spinal cord stimulators, intrathecal or insulin pumps.
Although there has never been a documented case of a medical device being hacked, numerous researchers have proven that such a hack is not only possible, but could be fatal. As early as 2008, a group of researchers at Beth Israel Deaconess Hospital (Boston, USA) showed that they could hack a heart defibrillator/pacemaker and reprogramme it to shut down or deliver a fatal jolt of electricity to the heart. Recently, a hacker demonstrated that he/she was able to override the radio signal on an insulin pump and have it dump a lethal dose of insulin to the patient.
The US Food and Drug Administration (FDA) issued a safety alert regarding cybersecurity vulnerabilities in two models of Medtronic programmers, which are used with cardiac implantable electrophysiology devices. This cybersecurity vulnerability is associated with using an internet connection to connect the programmers to Medtronic’s software distribution network, which allows providers to download software updates. The FDA confirmed that when the programmers are linked to an internet connection, the Medtronic network could be exploited, enabling an unauthorised user to alter the programmer to change its functionality during the device implantation procedure or during follow-up visits. To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic disabled access to the wireless connectivity. When software updates are needed, a Medtronic representative manually updates, via a secured USB,
Hackers: Black, white and grey
The traditional hacker is a person with the ability to penetrate existing computer infrastructure without permission and with a malicious intent. These are known as black hat hackers.
Not all hackers seek to damage and destroy. White hat hackers are those individuals who break into systems to point out security flaws or bring attention to a cause. Their intentions are not necessarily to wreak havoc but to do a public service. Some of these people are using this avenue to advocate for political or social causes using actions referred to as hacktivism.
Grey hat hackers are a blend of both black hat and white hat activities, but they are less skilled compared to the black hat or white hat. Grey hat hackers look for vulnerabilities in the system without permission. If issues are found, they report it to the owner; sometimes they request a small fee for discovering and fixing the problem. If the owner does not respond, they may post the vulnerability in the public forum for the world to see.
Regulatory oversight
The FDA, Homeland Security (through ICS-CERT), the research hacking community and product makers are working together by participating in cyber advisories to improve the security of health care information systems and medical devices.
The FDA originally issued a guidance on this topic in 2014 followed by a draft update in 2018. The draft guidance incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. It also introduces two tiers of devices based on potential harm to patients from cybersecurity threats: those with higher risk, including implanted devices such as pacemakers or neurostimulation devices; and those with standard risk, which includes devices that contain software.
Intrusion detection systems
Computer scientists continue to develop systems that can help detect and/or counter cyberattacks on healthcare systems. An example is a system for detecting malware on medical devices, called WattsUpDoc. This was developed by researchers Benjamin Ransford and Denis Foo Kune, who first unveiled the platform in 2013 before forming the commercial outfit Virta Labs. This intrusion detection system attempts to detect malware on implanted medical devices by monitoring tiny changes in power consumption.
Be aware, be prepared
The possible consequences resulting from a cybersecurity incident could be monumental, with broad implications for patient health, care delivery, and provider litigation risk. As a provider or a patient, the key is to be aware of the risk. Providers should work to safeguard patients by establishing security protocols and securing each practice. Patients should be informed as needed of issues and educated on potential risks.
Padma Gulur is a professor of anaesthesiology and the executive vice chair for operations and performance at Duke Anaesthesiology, Duke University (Durham, USA).
