EXECUTIVE SUMMARY

Hackers can access medical devices in ways that could jeopardize patient safety. Patients can be harmed intentionally or through the corruption of vital data.

• The threat has been proven and is not just theoretical.

• Medical devices have been recalled because of hacking vulnerabilities.

• Device manufacturers have not always built security into their products.


Security concerns with healthcare technology often involve safeguarding protected health information (PHI), but there is a real threat to patient safety from hackers accessing the medical devices used in treating patients. Hospitals and health systems must be proactive in addressing the risks and not rely only on device manufacturers to keep patients safe, security experts say.

The risk to medical devices grows as more and more become part of the internet of things (IoT), in which physical devices are embedded with technology to make them wirelessly accessible.

Researchers have reported exploitable vulnerabilities in Medtronic pacemakers that hackers could use to interfere with the electronic impulses that regulate patients’ heartbeats. At the Black Hat cybersecurity conference in Las Vegas, security experts Billy Rios and Jonathan Butts reported on vulnerabilities they found in the Medtronic CareLink 2090 pacemakers. There are about 33,000 of the devices in use in the United States.

Medical device company Abbott also announced a voluntary recall of 465,000 pacemakers in 2017 due to a possible hacking threat. The FDA said the devices contained vulnerabilities that could allow access to a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.

McAfee, a cybersecurity company based in Santa Clara, CA, found the potential to falsify a patient’s medical vital signs in under five seconds. The company’s threat research team noted that healthcare systems take advantage of and use central monitoring stations to make decisions on patient treatment and other critical care.

“This information is gathered from many IoT devices on the network using uncommon networking protocols,” the team wrote in a recent blog post. “What if these devices indicate a patient was peacefully resting, when in fact they are under cardiac arrest?”

The McAfee team reported a weakness in one of the networking protocols used by medical IoT devices (the RWHAT protocol) to monitor a patient’s condition and vitals. This protocol is used in some of the most critical systems in hospitals.

“The weakness discovered allows medical data to be modified by an attacker in real time to provide false information to medical personnel,” McAfee reported. “Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.” (The McAfee blog post is available online at: https://bit.ly/2P0sacS.)

Those incidents and reports show that the risk from medical devices is not just theoretical, says Alan Brill, senior managing director with the Cyber Risk Practice for Kroll in Secaucus, NJ.

“In cybersecurity, there is sometimes the tendency to hype a potential threat before anything has really happened and before it is anything more than a theory. This is not the case here,” Brill says. “Rather than being a science fiction-type hype, this is a real thing that has been acknowledged by the FDA. And it’s not just implantable devices that are at risk, because many devices are updated wirelessly through the internet, and that opens the possibility of a hacker getting access in that way.”

The growing use of home healthcare and outpatient services is driving the use of more wireless devices that can update and transfer data over the internet, notes Stacy Scott, managing director with the Cyber Risk Practice for Kroll in Dallas. That creates a threat to the integrity of that data, she says.

“You can be making decisions based on data that is real-time but incorrect,” she says. “Availability of data is always a big issue, but the validity of that data can be just as important or more so. Losing financial data is bad, but the scariest thing is the possibility of caregivers making decisions based on vital signs, allergy indications, or other information that is not correct.”

Scott cautions that vendors are not always the best resource for information on keeping their products safe from intrusions.

“There are badly behaved vendors who will say things like they’ll lose their FDA clearance if they change anything on the device, even the password. That is simply not true,” Scott says. “The bigger vendors are working toward better security and developing better processes, but you have to work with the vendors and have a good communication process. When you have a better understanding of the risks and solutions, you can communicate more effectively with the vendors.”

Healthcare manufacturers have seen instances of attempted tampering with medical devices, says James DeGraw, JD, partner with the Ropes & Gray law firm in San Francisco.

“We’ve actively advised clients on situations where they suspected people were attempting to do things with their devices that they were not designed for,” DeGraw says. “In one instance, the client was worried about these issues with a product that went to a large market, and there were people who had gotten hold of one and were playing with it to see what they could alter. The client had thought about this ahead of time and had designed a defense for each access point, and that worked to keep people from doing harm with the devices.”

The threat to medical devices is gaining more attention from the FDA, explains Kirk J. Nahra, JD, partner with the law firm of Wiley Rein in Washington, DC.

“They are viewing cybersecurity as something that can potentially impact patient health,” he says. “There is a regulatory interest in trying to develop standards that weren’t there previously because it took years for us all to realize that this is a serious issue that can affect the health and safety of patients.”

The FDA has emphasized that cybersecurity for medical devices is a responsibility shared among healthcare providers, device manufacturers, and consumers. The FDA’s Center for Devices and Radiological Health (CDRH), the department responsible for regulating networked medical devices, conducts cybersecurity reviews on these devices.

Recently, the FDA recognized cybersecurity standards for standard, network-connectable devices.

Major improvements probably will be driven by manufacturers who are worried about litigation or reputational harm from their devices being breached in a way that harms patients, Nahra says.

“The FDA is likely to push device manufacturers to be smart about these things from the beginning,” he says. “There are lots of regulations and standards that push companies to do what they should be doing in their own self-interest anyway, and I suspect this is going to go in that direction also. The hospital also has some interest in ensuring that the vendor is taking the necessary steps to ensure the safety of the device, just as it has an obligation to verify that vendors have adequate data safety measures applying to protected health information.”

Security Not Included

There is no doubt that hackers can access medical devices and cause physical harm in addition to identity theft, says Roy Wyman, JD, partner with the law firm of Nelson Mullins Riley & Scarborough in Nashville, TN. There are plenty of stories of individuals hacking into more complex devices, such as cars, and changing how they function, he notes.

“The basic reason is that many connected devices do not have security baked in. Particularly with older devices, manufacturers would take older, disconnected device models and simply slap on the technology to connect them to a network,” Wyman says. “Security, to the extent it was addressed at all, was after the fact. Thankfully, some manufacturers are now making sure, at least with newer devices, that there is security by design in how they are developed.”

That change has been largely driven by concerns about liability and heavy pushes by larger hospitals and other providers, Wyman says.

The risks vary from hacking into a device to gain access to other systems such as electronic health records (EHRs) to changing the function of the device itself. The associated risks could be loss of a significant amount of personal health information or physical harm to patients, among others, Wyman says.

“The more savvy hospitals are reviewing the security features of these devices as well as requiring, contractually, that the manufacturers implement very specific security features to protect against such attacks,” he says.

Operating Systems Vulnerable

A recent study by Virta Laboratories into post-market medical device security monitoring determined that medical devices often are shipped with older, unsupported operating systems, notes Avani Desai, president of Schellman & Company, a security and privacy compliance assessor in Tampa, FL.

“In fact, several medical devices in 2012 were shipped with the outdated Microsoft Windows XP operating system. As medical devices can stay in clinical use for decades, outdated operating systems may lead to a lack of patch management,” she says. “This causes the device to be highly vulnerable to malware infection. As the healthcare industry is one of the top targets for malware and theft of medical records, this is a concern that needs to be mitigated early in the manufacturing process.”

Tracking and location are a concern, she notes. A number of medical devices enable the tracking and geolocation of the user, a legitimate feature that has been shown to increase improvement in patient outcomes.

Desai cites the example of asthma inhalers and elder care. Several inhalers use mobile apps via Wi-Fi to collect data about location and medical information, such as the time and date of an asthma attack. In the case of elder care, general location awareness is collected from a wearable device, she explains.

The use of Wi-Fi as a means to collect and share location data can increase privacy and security concerns if not correctly implemented. This can lead to man-in-the-middle (MitM) attacks, resulting in stolen PHI and even physical security concerns, she says.

Implantable Devices at Risk

Implantable devices also are a concern. Medical devices that are physically implanted into the body (IMDs) are the most intrusive devices known, Desai notes.

Due to the devices’ intimate use, IMDs pose the greatest security concerns for patients and may have potentially fatal consequences. A study on IMDs by the University of Madrid in Spain found that IMDs were subject to MitM attacks across unsecured Wi-Fi connections, she explains. The study stated that IMDs contain significant PHI such as name, address, and Social Security number — all of which are at risk of theft from eavesdropping.

“In an environment where PHI is a highly attractive commodity for a criminal, any weakness in security measures will be found. The medical device market itself is financially healthy; however, we need to remember the patient. Taking basic security and privacy measures, such as ensuring that patching of operating systems and software is achievable and performed, will help prevent breaches,” Desai says.

“Nonetheless, as medical devices became ever more likely to be internet-enabled and to share data across cloud platforms, we also need to take precautions against the interception of patient data. Ensuring safe Wi-Fi implementation and setup and using encryption for data both in transfer and at rest will help to ensure a healthy outlook for medical devices and the patients who use them.”

Traditionally, the IoT has focused little on privacy by design and security by design, the concept that privacy and security should be implemented at the design stage of any new product offering, says Michael Hellbusch, JD, an attorney with Rutan & Tucker in Costa Mesa, CA. As a result, the functional components of IoT devices often lack the proper security, leaving them vulnerable to hacking and malware attacks.

“Simply put, medical devices were not designed to be connected to the internet, and when that functionality was added, little to no thought was given to security. Now it is recognized that connected medical devices are alarmingly vulnerable to hackers who are able to gain access to and control the devices to use them maliciously,” he says.

One notable example, Hellbusch notes, occurred in 2013 when doctors disabled the wireless capability of former Vice President Dick Cheney’s implanted defibrillator and heart pump due to fears of potential assassination attempts via device hacking.

“Yet such concerns are not relegated to heads of state. Networked medical devices of all types bear familiar risks, including unauthorized control and access, denial-of-service attacks, and ransomware or malware,” he says. “In addition, as an endpoint for hospital networks, they are another access point to an organization’s data centers.”

Risk assessments should include the level of security on a device, the ability to correct any gap in security, the risk of harm associated with a networked medical device (such as determining whether it is a Class I, II, or III device), and the cost of that potential harm, he says.

‘Wireless’ Means ‘Hackable’

Any device that has wireless connectivity can be hacked — everything from mobile point of sale terminals to vacuum cleaners, says Rami Muleys, head of application security business development at Positive Technologies in Boston, a provider of enterprise security solutions.

“Lately, we could see increasing numbers of medical devices such as pacemakers, drug pumps like insulin infusion devices, implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices incredibly dangerous for patients,” he says. “Potentially, a criminal could research and reverse communication protocols and exploit vulnerabilities in the simple software used in those tiny devices. For example, they could change the heart rate controlled by pacemakers or inject wrong doses of drugs or even make them show the wrong data, leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.”

In the report by security researchers at the Black Hat conference showing that Medtronic’s CareLink 2090 programmers could be compromised, Muleys notes that they were running on Windows XP, a vulnerable and obsolete operating system no longer supported by Microsoft.

“The main reason for those risks is that the vendors are relying on the security by obscurity concept and not implementing security features on the design stage of the devices,” he says.

In a security bulletin updated in October, Medtronic acknowledged vulnerabilities in its CareLink 2090 and CareLink Encore 29901 programmers and the software deployment network (SDN) for updating device software. According to the bulletin, posted on the Medtronic website, the company has taken steps to deal with the risk. “To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN.” Medtronic representatives will update the software manually when needed, the bulletin states.

Muleys points out that healthcare applications became the most highly attacked of all sectors in third-quarter 2017, registering 1,526 incidents per day on average, according to findings in the Q3 2017 web application attack report from Positive Technologies.

Attacks on healthcare applications and devices had varying motivations. Throughout 2017, there were attacks aimed at gaining control of a server or accessing data. On multiple occasions, media reports described leaks of data from medical centers followed by a ransom demand sent to clinic management and patients, he notes.

Healthcare organizations concerned about security should address those risks starting with comprehensive assessments of their organization’s infrastructure by security experts and white hat hackers, Muleys says. A security assessment will allow hospitals to take an inventory of the digital perimeter and internal infrastructure, identify security risks and vulnerabilities, triage them, and build a threat model appropriate for the organization, he says.

Many times, healthcare providers experience a false sense of security because of their trust in public clouds and medical software and equipment vendors, Muleys says.

“The only way to make vendors invest more in security is if the hospitals and healthcare organizations make information security a priority and ask vendors what they’ve done to secure their products,” he says. “In the coming years, cybersecurity in treatment will be as important for patients’ health as the chemical safety of drugs, but the regulation and control are on absolutely different levels.”

Brill advises risk managers to conduct risk assessments that include factors such as how many devices are subject to this risk, how they are updated, how many updates have not been applied, how passwords are changed, and whether any devices have been left with the default password.

“Then you will have a much more complete picture of your risks and your existing responses to those risks,” he says. “That will yield a picture much more revealing than most hospitals have right now.”

SOURCES

• Alan Brill, Senior Managing Director, Cyber Risk, Kroll, Secaucus, NJ. Phone: (201) 319-8026. Email: abrill@kroll.com.

• James DeGraw, JD, Partner, Ropes & Gray, San Francisco. Phone: (415) 315-6343. Email: james.degraw@ropesgray.com.

• Avani Desai, President, Schellman & Company, Tampa, FL. Phone: (866) 254-0000.

• Michael Hellbusch, JD, Rutan & Tucker, Costa Mesa, CA. Email: mhellbusch@rutan.com.

• Rami Muleys, Head of Application Security Business Development, Positive Technologies, Boston. Phone: (857) 208-7273.

• Kirk J. Nahra, JD, Partner, Wiley Rein, Washington, DC. Phone: (202) 719-7335. Email: knahra@wileyrein.com.

• Stacy Scott, Managing Director of Cyber Risk, Kroll, Dallas. Phone: (972) 795-3075. Email: stacy.scott@kroll.com.

• Roy Wyman, Partner, Nelson Mullins, Nashville, TN. Phone: (615) 664-5362. Email: roy.wyman@nelsonmullins.com.