Cyberbattle

For more than two years now, the federal agency that serves retired warriors has been waging its own battle.

Officials at the Veterans Health Administration have been placing certain electronic devices behind a sophisticated web of protection in an effort to fight off a growing number of cyber-attacks. The move, says Charles Gephart, director of the VA's IT field security operations, is intended to prevent potentially life-threatening compromises to a host of clinical information and patient-care devices.

As a part of the effort, the VA's IT staff has placed items such as glucometers, imaging machines, pharmacy dispensing cabinets and picture archiving and communications systems on their own networking systems. By isolating the devices from the hospital's main network, the VA hopes to prevent them from becoming accidentally or purposefully contaminated with computer viruses that, despite best efforts, slip through facilities' firewalls.

The sizable task required the VA to centralize its IT system across all patient-care sites. The agency then categorized and grouped more than 50,000 medical devices based on their functions and manufacturers and placed them on separate virtual-local area networks, or VLANs. The configured networks disconnected the devices from the Internet, disabling communication with potential hackers, but still allowed caregivers to remotely access and monitor the devices. So far the effort has paid off, Gephart says. “We've never had an issue where the integrity of the system was compromised to the point that it had an effect on patient care. That's what we're trying to prevent,” he says.

Still, Gephart acknowledges that staying a step ahead of cyber-attackers is no easy feat. The VA has detected malware in 163 medical devices since officials began monitoring the problem in January 2009. “These can be anything from a minor virus to the Conficker virus,” Gephart says. And while much of the focus in healthcare has been on protecting patients' personal information from hackers intent on identity theft, among IT security experts there is growing concern over the potential for patient care to be compromised by terrorists intent on inflicting harm and fear, or as a consequence of an accidental viral infection.

“It's not just about people stealing patient records; it's also about the potential for a terrorist attack,” says Greg Hoglund, CEO of the IT security firm HBGary. “Right now, there are little malware time bombs that have infected all our systems. Primarily, they're coming from people working in Eastern Europe, Brazil and the Philippines who are focused on profit, not terrorism. But they sell the info to people who want it, and now you have the ability for a nontechnical attacker to get into a system and cause other kinds of harm.”

That harm includes the very real possibility for cyber-attackers to purposefully or accidentally affect medical devices implanted in patients, used to monitor patients, or to provide care such as e-prescribing and automatic dispensing of medication. “In some cases, there may be a problem that is so subtle we don't even notice it,” says Gephart of the challenges medical providers face in dealing with potential sabotage of devices. “But that could be a problem because we don't know what that virus is doing, and with a medical device, if the function is off by just a couple of degrees that can be an issue.”

Already there have been harbingers of the growing cyberthreat. In mid-2009, hospitals in the U.S. and other parts of the world discovered that imaging machines and other medical devices connected to the Internet had become infected with the dreaded Conficker virus.

Conficker attaches itself to Microsoft Windows operating systems that have not received a security patch against the virus. Once attached, the virus program periodically connects to the Internet for directions from its inventor. Those directions rewrite Windows, causing operating problems in the various devices that use the system.

A number of medical devices use Windows operating systems, and according to David Finn, a health IT officer with the technology security firm Symantec Corp., his company heard from clients whose pharmacy dispensing cabinets locked up or improperly recorded information as a result of being infected with the Conficker virus. “And it was not with just one manufacturer,” says Finn of the variety of dispensaries infected with the virus.

This past July, Kern Medical Center, Bakersfield, Calif., was hit by a computer virus that temporarily shut down the 172-bed hospital's EHR system and forced medical staff to use paper records. It took officials roughly two weeks to correct the problem and get the EHR system back online, according to news reports.

But a recent experiment conducted at the University of Reading in England has provided a view toward just how serious a threat cyber-attacks on medical devices could be. In May 2010, Mark Gasson, a senior research fellow at Reading's School of Systems Engineering, proved he was able to infect a security chip implanted in his hand with a virus. Gasson uses the chip to access his cell phone and buildings on the university's campus.

For the experiment, Gasson programmed a virus into a security access system that his chip typically interacts with. Gasson found that the virus not only transferred to his chip when he tried to gain access to the security system, but also to other computer systems with which the chip later came into contact. “The implant I have is similar to the (radio frequency identification) already in use, and it could be a sort of core technology that is used” in equipment that monitors patients, Gasson says. “We already have pacemakers with wireless connectivity that allows doctors to monitor their patients remotely,” he adds. “We tend to find that these devices don't have any security controls, so if you have access to it, you change the settings.”

Such escalating problems prompted the UC Davis Health System, Sacramento, Calif., to hold a healthcare cyberterrorism seminar in August in hopes of preparing healthcare providers to better handle what many IT experts expect to become increasingly sophisticated attacks. “The message during the conference was that healthcare is a soft target” for hackers, says Peter Yellowlees, director of the UC Davis health informatics graduate program.

A survey released in November by the Healthcare Information and Management Systems Society hinted at the healthcare industry's lagging investment in IT security. According to the findings, 33% of physician practices and 14% of hospitals responding to the survey say they don't perform security risk analysis.

Austin Berglas, a supervising special agent with the Federal Bureau of Investigation's New York City cyber branch office, says he's not surprised by healthcare's lack of investment in IT security, but that it creates a highly problematic security risk.

Implementing a solid IT security system demands a number of costly steps. The cost varies with the size of the healthcare provider, say IT security experts, but it could easily run a midsize hospital six figures annually.

Berglas says providers would rather spend money on direct patient care. But, he argues, ignoring the threat can put patients at risk. “Everybody spends what they want to spend on IT until there's a breach, and then they want to dump money towards it. But, by then it's too late because it's much more costly to fix a problem.”

But finding money to put up firewalls, construct VLANs and take other steps against cyber-attacks isn't healthcare providers' only challenge. Once security breaches to medical devices are discovered, manufacturers are unable to distribute security patches without undergoing reviews of the changes by the Food and Drug Administration. That typically means a lag of three months between the time a security patch is developed and made available to healthcare providers, say healthcare IT-security experts.

Bernie Liebler, director of technology and regulatory affairs for the Advanced Medical Technology Association—a lobbying group for medical device manufacturers—notes regulatory agencies are in the early stages of addressing cybersecurity as it relates to medical devices. “The FDA's mission is to approve and clear devices depending on their safety and effectiveness,” he says. “So far, they haven't taken on the task of cybersecurity.

“But I don't think any industry is where it would like to be in terms of IT security,” he adds. “I think the whole world needs to play catch up in this area.”