Hack Attack
Cybersecurity vulnerabilities of medical devices
By Ashley Thomas, Esq.
Fans of the TV show Homeland will recall watching the character who portrayed the U.S. Vice President die during the 2012 season after hackers remotely disabled his pacemaker. According to one report, former Vice President Dick Cheney was the inspiration for this episode. In an interview, Cheney previously revealed that he had his implantable heart device’s Bluetooth capabilities disabled to prevent possible hacking attempts during his tenure in office. This Hollywood dramatization has now slowly become a new reality in the health care industry.
Medical device security has not always been a top priority for manufacturers and vendors. Those devices connected to the Internet that can send and receive data are at risk of being hacked by unauthorized users, potentially compromising patient care. While there aren’t any known instances of a patient’s medical device being hacked, those posing the greatest cybersecurity vulnerabilities include infusion pumps, implantable cardiovascular defibrillators (ICDs) and CT scans. These devices are at high risk because their web administration interfaces are not password protected or their passwords are easy to crack. This article examines recent concerns about cybersecurity vulnerabilities in medical devices.
Government Ramps Up Efforts
In response to an executive order from President Obama, the National Institute of Standards and Technology (NIST) released a framework and roadmap for improving critical infrastructure cybersecurity, in February 2014. While the framework is not binding, health care organizations are encouraged to adopt various measures within the framework; using them to assess their cybersecurity measures; as a benchmark to improve an existing cybersecurity program; or to create a cybersecurity plan.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also revealed last year that it is investigating cases of cybersecurity vulnerabilities in a wide range of medical equipment, from imaging devices to hospital networking systems. The investigations began several years ago, out of fear that hackers were developing capabilities to exploit security flaws in medical devices since many of them rely on wireless technology and Internet connectivity. Some of the products under review include Hospira Symbiq infusion pumps and Medtronic’s implantable heart devices. ICS-CERT is working with the manufacturers to help them identify and repair security flaws.
The FDA is partnering with the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), to advance health care cybersecurity resilience. In October 2014, the FDA held an open workshop, with medical device manufacturers and professional and trade organizations, to analyze collaborative approaches and help participants develop tools and standards for building a comprehensive cybersecurity program.
User Beware
The FDA issued a warning to the public in July 2015 about security risks associated with the use of Hospira’s Symbiq infusion pumps. Hospitals were also advised by the FDA to cease operating the infusion system, which relies on a computerized pump to continuously deliver general infusion therapy.
The problem with the infusion pumps lies in the potential remote access of the pump by an unauthorized user who could tamper with the dosage, causing serious health risks to patients. Hospira has confirmed that the Symbiq infusion system can be accessed remotely through a hospital’s network. While the FDA emphasized that it is currently unaware of any adverse events or unauthorized access of the infusion pump in a health care setting, the agency urged health care organizations to follow the cybersecurity best practices outlined by the FDA in 2013.
The FDA’s Safety Communication, “Cybersecurity for Medical Devices and Hospital Networks,” recommends actions for device manufacturers and health care facilities. In evaluating medical devices, manufacturers are advised to take steps to limit unauthorized device access to trusted users only; protect individual device components from exploitation; use design approaches that maintain a device’s critical functionality; and provide methods for retention and recovery after an incident where security has been compromised.
Health care facilities should evaluate their network security and restrict unauthorized access to the network, while also monitoring activity for unauthorized use; update appropriate antivirus software and firewalls; and develop strategies to maintain critical functionality during adverse events.
IoT Poses Risks
The FBI issued a public warning in September 2015 that as the Internet of Things (IoT) creates more efficiencies and conveniences in everyday life, this connection can also enhance the risks of being hacked by cybercriminals. Myriad devices with some vulnerability, the FBI stated, include the usual suspects, such as wireless heart monitors and insulin dispensers, as well as wearables such as fitness devices. Deficient security measures, patching challenges and a lack of security awareness provide cybercriminals opportunities to remotely attack these devices. Cybercriminals can exploit these vulnerabilities a number of ways, by sending malicious spam emails, stealing personal information or interfering with physical safety.
The FBI’s list of recommendations to consumers includes: 1) isolating IoT devices on their own protected networks; 2) purchasing IoT devices from manufacturers with a track record of providing secure devices; 3) updating devices with security patches when available; and 4) using strong passwords.
Telesurgery: A Risky Frontier?
Telesurgery allows a surgeon in one location to control a robot in a second location, where that robot will physically perform the surgery on the patient. Since the first telesurgical operation in 2001, there remain many unresolved security issues involving this cutting-edge technology, as researchers at the University of Washington demonstrated during an experiment conducted in April 2015. The researchers set out to explore some of the security pitfalls of this technology by hacking a teleoperated surgical robot, the Raven II. The Raven II utilizes a single PC, running software based on open standards that communicate with a control console using the Interoperable Telesurgery Protocol, a standard communications protocol for remote surgery.
The experiment demonstrated three types of attacks that make telesurgery vulnerable with this robot. The first attack intercepted the commands sent by the operator to the robot by removing or reordering the commands. The second attack modified the intention of signals from the operator to the robotic arm by changing the robotic arm movements. During the last attack, the researchers took complete control over the robot by hijacking the procedure. This was made easy by the Interoperable Telesurgery Protocol, which is publicly available, allowing hackers to alter the signals. These communications took place over public networks that anyone could potentially have accessed. Open communications networks are easy targets for hackers to jam, disrupt or hijack signals being sent to the robot.
Each attack had an immediate impact on the robot, making it difficult to control and carry out the operation. Some of these signal attacks prevented the robot from being properly reset, which made the surgical procedures impossible to perform. Also, the researchers discovered a significant privacy issue with the video connection since it was publicly available, potentially allowing anyone to watch the operation in real time. While organizations are encouraged to use encryption measures between the control console and the robot to mitigate attacks, these efforts aren’t foolproof because a hacker can still intercept the signals. The experiment wasn’t intended to discourage the development of telesurgery but to demonstrate the security and privacy concerns as this cutting edge technology continues to evolve.
Health Care Sector
Hospitals are slowly waking up to this new reality. Medical devices have historically been regulated for effectiveness and safety, not for security purposes. This is due in part because the FDA does not require a security assessment during the pre-market submission process and many vendors have not implemented security programs for their devices. The FDA did issue final guidance last year on pre-market submissions related to cybersecurity for the health care industry. The guidance encouraged manufacturers to consider cybersecurity risks in the design and development of their devices. However, this guidance is only voluntary and non-binding.
There has also been confusion within the health care sector about cyberintelligence and information sharing. The Department of Homeland Security has helped to educate health community members by breaking cyberintelligence down into different constructs with its Structured Threat Information eXpression (STIX) program. STIX would establish a standardized and structured language to represent cyber threat information. Ideally, this framework would be replicated for sharing medical device vulnerabilities and creating supporting mechanisms to combat potential attacks.
The Road Ahead
Medical device security has not always been a top priority for manufacturers and vendors. Those devices connected to the Internet that can send and receive data are at risk of being hacked by unauthorized users, potentially compromising patient care. Hospitals and health systems need a proactive and pre-emptive approach, investing in and developing a strong IT infrastructure with layered security and firewalls to deter hacking. These organizations are constantly challenged to anticipate unintentional threats and potential vulnerabilities. It is important that they remain vigilant as they continue to develop comprehensive systems to mitigate security risks.
Document Actions