The massive cyberattack that took down Twitter, Spotify and other popular web services last week took advantage of the so-called "internet of things," specifically web-connected security cameras and digital video recorders.
Healthcare has its own internet of things, including infusion pumps, patient monitors, ventilators and a wide array of other life-sustaining devices. Although concerns have been raised about the security of web-connected medical devices and equipment, experts say it's unlikely they could be used in a similar attack.
Cameras and DVRs used in the attack were rudimentary devices with manufacturer-default security that isn't able to be changed by the consumer, said Ken Dort, a partner and cybersecurity expert at law firm Drinker Biddle & Reath. Security settings on medical equipment, however, can generally be configured to the specifications of provider information technology specialists. Experts agree the designers behind the devices have significantly more cybersecurity experience.
But concerns about the vulnerabilities of medical devices still abound.
The Food and Drug Administration warned providers in July 2015 against using a Hospira pump that could be hacked remotely. Last month, a short-selling investment firm argued St. Jude Medical's pacemakers and other devices could be “crashed” by hackers, a claim the company has vehemently denied. In 2014, three unnamed medical-device companies were under review by the Department of Homeland Security for possible cybersecurity vulnerabilities.
Successful hacks of medical devices have mostly been done with direct access, rather than remotely, and often are carried out with devices acquired through casual resellers with unknown maintenance history, said Juuso Leinonen, a health devices project officer at the ECRI Institute, which evaluates medical equipment. Nevertheless, hackers will always be looking for a way in, so device manufacturers have to vigorously test their devices, and hospitals need to secure their networks.
“We know that there are shortcomings with medical devices, and manufacturers are definitely stepping up their game, by the sounds of it, and hospitals are taking it seriously,” Leinonen said.
Hospitals can guard against hackers by ensuring they're keeping abreast of new threats and considering device security when they're comparing products during the purchasing process. He pointed to several hospitals, including the Mayo Clinic in Rochester, Minn., that have established cybersecurity standards for devices they buy.
“To really eliminate these problems, security needs to be designed in,” said Kevin Fu, an associate engineering professor at the University of Michigan and chief scientist at Virta Laboratories, a cybersecurity startup. “You have to prepare in the product cycle, 10 years before. We already know the problems we'll have.”
It's also important hospitals are aware of their web-connected devices and understand the threats that come with them, Fu said. Virta Laboratories has developed a tool that helps hospitals manage their web-connected devices by mapping out devices on their network, scanning for device vulnerabilities and helping providers triage those threats.
The FDA released much-anticipated guidance in January recommending devicemakers monitor, identify and respond to cybersecurity vulnerabilities as a part of routine post-market surveillance. The draft guidance also requires devicemakers to report some information about vulnerabilities to the FDA.
Dort of Drinker Biddle & Reath represents several healthcare companies. While history says a breach can be possible even with the most robust systems, he said companies work hard to secure their products given the information they have.
“I'm not aware of a situation where I would opine that they could do more,” Dort said. “Data security is foremost on their minds, and I'm just not aware of a situation where they would go forward and provide less-than-optimal security.”