Medical Device Hacks: The DangersFDA Summit Speakers Urge Action to Prevent Dire Consequences
It's only a matter of time before a patient is killed or injured due to a targeted cyber-attack against a medical device - or even as the result of an unintentional cyber vulnerability. That was the reality-check warning from experts participating in a medical device cybersecurity workshop hosted by the Food and Drug Administration on Oct. 21.
Using a laptop computer to remotely tamper with a Web-enabled implanted medical device, such as a pacemaker, has the potential to be as deadly as using a gun in an assassination attempt, says Jason Lay, manager of cyberthreat information at the U.S. Department of Health and Human Services. "We know this possibility is very real."
In light of these risks, the FDA hosted the event to help propel improved medical device cybersecurity information sharing and collaboration among healthcare sector stakeholders - including hospitals, clinics and medical device makers - as well as with government agencies, including the FDA, Department of Homeland Security, Department of Health and Human Services, and the National Health Information Sharing and Analysis Center.
There's growing concern that interconnected and Internet-enabled medical devices, such as medication infusion systems, ventilators and pacemakers, are vulnerable to cyberthreats. As a result, Lay even envisions a time when "a doctor scans you for malware" in implanted medical devices.
In addition to potential premeditated murder scenarios, patients could be harmed in other circumstances, such as a cybersecurity attack by a nation state on an unprotected medical device that's used as an entry point to steal an academic medical center's intellectual property, says Ray Strucker, special agent in the FDA's criminal investigations office.
"There's a high chance of collateral damage even if an intrusion or attack is [designed] for something else, like access to PHI," adds Kevin McDonald, a security expert at the Mayo Clinic.
To help prevent those nightmare scenarios, medical device makers and healthcare providers alike need to adopt better cybersecurity practices and improve the sharing of threat information, participants at the workshop said.
For example, medical device makers need to take steps to prevent and detect tampering of firmware, says Billy Rios, a white hat hacker who's researched medical device security and serves as director of vulnerability research and threat intelligence at Qualys. The current firmware practices used by most device manufacturers make it difficult to verify whether firmware has been altered through tampering, he says. By contrast, manufacturers of other technology products, ranging from smart phone to gaming systems, "solved this problem years ago."
More healthcare organizations also need to consider the cybersecurity of medical devices as part of their broader risk analysis and best practices, experts at the workshop advised.
But because so many healthcare providers, including small hospitals, are faced with limited resources and know-how to tackle security issues, they rely on best practices shared by others, says Chantal Worzala, director of policy at the American Hospital Association. "Hospitals work in a culture of safety," she says. Improving information sharing is essential "to expose cybersecurity [threats and vulnerabilities] for safety and not for casting blame," she adds.
Also, better forensics tools are needed for investigating cyber-attacks involving medical devices and identifying the perpetrators, the FDA's Strucker says. "What are the tools to assist me to work on a tampering case?" he asks. "We don't hear enough of those discussions."
Axil Wirth, a systems engineer at Symantec, adds that the distributed-denial-of-service attack earlier this year on Boston Children's Hospital is additional proof that the healthcare sector is a target for hackers.
Also, an attack by Chinese hackers earlier this year on computers of Community Health Systems, which resulted in a breach impacting more than 4 million individuals, is another sign of the threats facing healthcare organizations, noted Wesley Snell, director of computer security incident response at HHS. "The target of the attack was intellectual property and patient information," he says. China's aging population is fueling "double-digit growth" in medical device development, he adds. "They are looking for information to better their own industry."
Many healthcare organizations fail to implement best practices that can help boost the cybersecurity of medical devices, says Kevin Hemsley, project manager of the Idaho National Lab, which works with the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, a unit of DHS. Those best practices include segmenting medical devices from other networked systems. "Flat networks that aren't segmented are a problem we've seen," he says.