The security risk storm is here: Medical device threats are real and a patient safety risk
A recent anonymous international study from the University of California Cyber Team funded by MedCrypt found that a few healthcare delivery organizations and vendors believe between 100 and 1,000 patients had adverse events from compromised healthcare infrastructure cybersecurity events, like ransomware, malware, compromised EHRs or an attack on facility systems.
It’s a staggering number, especially when compared to the 80 percent of survey respondents that reported risks in medical devices are higher than what the Food and Drug Administration reports.
“There’s at least some self-reported evidence that some patients are being harmed by compromised medical devices,” said Christian Dameff, UC San Diego researcher and emergency room doctor at the HIMSS Media Security Forum in San Francisco on Tuesday.
The 40 individuals anonymously responded to two questions. The first asked respondents whether they were aware of any adverse patient events caused by a flaw in a device developed or produced by their organization. One respondent said yes, but did not indicate the number of event or patients involved.
The other question asked whether an attack on their organization's infrastructure caused any adverse patient events. And those respondents who said yes, said the adverse events impacted 100 to 1,000 patients.
Dameff, along with his colleague, Jeffrey Tully, UC Davis security researcher and pediatrician, also outlined a recent simulation of what happens when a patient’s medical device gets hacked.
The patient, represented by an actor, presented signs of chest pain to a team of nurses and doctors. The team went through normal procedures to treat the patient directly reflecting his symptoms. However, the ‘patient’s’ pacemaker was malfunctioning and routine attempts to use a magnet to fix the problem didn’t work.
As a result, the ‘patient’ kept dying and coming back to life because the hacked pacemaker kept shocking the patient at the wrong time.
What’s also concerning was the reaction from clinicians who took part in the simulation were completely unaware the device had been compromised, said Dameff. They were also asked if they would know what to do if a device was hacked, and all of them said ‘no.’ What’s more, none of the team had been trained in reacting to medical device hacks.
The point, Dameff said, is that while many have said these types of scenarios are relatively low, “the argument that something with a likelihood of being rare isn’t a reason to not address it.”
“The first time something like this actually happens will change the conversation entirely,” said Dameff. “We need talk about more than just devices -- also infrastructure. The risk is involved in every aspect of care. It’s important to be aware of the entire picture.”
“We rely on an incredible amount of technology to care for patients and trust the technology implicitly to care for our patients,” said Tully. “We’re afraid there’s a storm on the horizon -- and it may already be here. Healthcare cybersecurity is no longer really a compliance issue. It’s not only a protecting patient health information issue. Healthcare security is a patient safety issue.”
The next upcoming HIMSS Healthcare Security Forum is slated for Oct. 15-16 in Boston.