If you are worried about your bank account and credit score, you might want to think about something a whole lot worse—namely, the hackers out there who have started targeting medical devices as a method for bringing harm and even death to others. That’s right—it turns out the very same devices that can save your life can also endanger it if abused or mishandled. We know the IoT-based rise of internet-connected medical devices are proliferating at an astronomical pace, which is giving rise to a growing number of questions about their overall safety—not because the devices themselves are questionable, but rather because they are incredible hard to protect against certain cyber attacks.
There are two kinds of unhealthy attacks.
Cyber attacks in the health care realm are targeting two distinct vulnerabilities. First are typical database breaches where confidential/personal information is illegally accessed and copied. Earlier this year, the Indiana-based Hancock Health health care system was forced to pay $55,000 in bitcoin to resolve a ransomware attack that threatened 1400 of their files, including the private medical records of patients. Attacks like these, occurring both locally and internationally, are forcing health systems to revert back to using paper and pens to manage business processes and patient care. While this type of breach is annoying and unsettling, it doesn’t have the ability to bring real physical harm.
However, we have recently seen an increasing number of attacks on medical devices that are far more than just bothersome—they are potentially deadly to patients. A new wave of more targeted ransomware capable of attacking critical systems such as MRI (magnetic resonance imaging) devices, CT scanners, infusion pumps, and X-Ray machines has been spreading through health care systems at an alarming rate. Researchers have estimated that at least 50% of major health care providers have been targeted with malware at some point. In particular, ransomware attacks require the payment of huge amounts of extorted money to restore these systems back to their normal operation. At the same time, such attacks can create potentially deadly health consequences.
This type of device tampering can mess with machine settings, take life-supporting machines offline, or alter patient data that’s relied on by health care providers for quality care. For example, records defining drug dosages could be changed without authorization and cause an overdose in some unfortunate patient. Nefarious manipulation of these critical health care systems greatly increases potential patient harm and exponentially increases pressure on health care providers to resolve cyber threats quickly and efficiently by paying off hackers, regardless of the cost.
Why is this happening?
Like so many other aspects of modern society, health care is rapidly expanding into an increasingly connected and digitized universe. At any modern hospital, it’s not unusual for a single patient to require at least 15 different IoT connections at any given time. These devices present an increasingly complex network environment, each with multiple vulnerabilities to cyber attack. And it’s becoming physically impossible to monitor and maintain the security of every device.
Further, while healthcare technology providers are working hard on improvements, a large number of worn out “legacy” systems are still in use. As we know, the use of outdated software can make any device more vulnerable to attack, certainly more than newer technology. Research has revealed many devices may still be using Windows XP, first released in 2001 and last supported in 2014. While it may be cost effective to avoid upgrading these older devices, they represent an IT nightmare.
With so many potential portals into an organization’s IT infrastructure, and with cyber attacks emerging as a relatively recent phenomenon, it’s easy to see why medical professionals might overlook a CT scanner or an X-Ray machine as a pathway to a potentially deadly attack. But the truth is, they are.
What’s being done?
Fortunately, there’s progress being made. Earlier this decade, the U.S. Food and Drug Administration (FDA) began to include cybersecurity as one criterion for product approval. More recently, the FDA and the U.S. Department of Homeland Security (DHS) announced an agreement to implement a new framework for coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.
“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients. The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” said FDA Commissioner Scott Gottlieb, M.D..
Gottlieb also stressed the need for everyone involved to do their part, saying, “…we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges.”
Here’s the takeaway…
Similar to other high-tech developments, like self-driving cars, digital aviation control, and the internet-of-things (IoT), healthcare software has potential for great benefit, but also a potentially scary downside—possibly lethal physical harm—if compromised by someone with ill intentions. Until these issues are adequately addressed, your health will remain in jeopardy.