When medical devices get hacked, hospitals often don't know it
The past three months have seen a record high in medical device recalls, increasing 126 percent in the first quarter of 2018 from last year, according to the Stericycle Recall Index. The biggest culprit was software, which is unsurprising given the increase in high-tech devices that often run on legacy systems.
While many healthcare systems have legacy platforms running on some aspect of its network -- think MRIs and X-Ray machines -- medical devices are one tool that can directly put patients at risk if a breach or software failure were to occur.
“Security on devices doesn’t just impact HIPAA, it affects patient safety,” said Christian Dameff, MD, an emergency room doctor at the University of California San Diego.
Not only is patient safety a real issue with a medical device breach, these hacks are already happening, explained Jeff Tully, an anesthesiologist and pediatrician at UC Davis. WannaCry crippled the legacy systems at the U.K. National Health Service, and they weren’t the initial target.
The attack hindered the ability to provide care, and with medical devices, those impacted are the critical groups of patients, said Tully. “There’s an argument that says ‘well, tell me someone whose pacemaker has been hacked.’ But we may not even know when it happens.”
Tully and Dameff took unsuspecting physicians and placed them in simulated medical device hacks -- and then asked if they thought a pump was hacked.
“And all of them said no,” said Tully. “They have implicit trust, and they lack the infrastructure. It’s a perfect set up for [medical devices] to be compromised.”
The trouble is antiquated, legacy systems with hardcoded passwords that can be found with a simple Google search, explained Tully. People aren’t looking for these types of breaches.
Depending on the target, it can be pretty simple to get in, explained Dameff. While a large hospital network is less likely to have a successful hack in this area with a developed, seasoned architecture, smaller providers with less resources may not be so lucky.
“The security shortage, coupled with architecting these networks, legacy devices, antiquated systems -- and huge attack surfaces -- these are messes we’ll be cleaning up,” said Dameff.
The pair have researched hacks on pacemakers, light scopes, insulin pumps and the like, and Tully said they demonstrate the impact on patient care if a hacker was able to break into the device. As both are active doctors, their mission is personal.
“Our big goal is to translate to people who may not understand the impact on those in the care setting,” said Dameff. “What we need to do moving forward is to change the paradigm to create a strategy to secure these devices.”
The hope is to challenge assumptions and educate CISOs to take into consideration these elements, and see the clinical scenarios that can occur when a medical device is compromised, explained Tully.
It’s about “acknowledging that it’s going to happen, what am I going to do to prepare now?” he added.
Tully and Dameff will show actual simulations of the anatomy of a medical device hack at the HIMSS Healthcare Security Forum in San Francisco.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.