The nightmare scenario of dialing devices to deadly

Editor's note: This story is part of an online special report and has been edited for the print edition of Modern Healthcare. Please visit the web version of Building a Better Cyberdefense.

Data breaches are the most immediate cybersecurity worry for healthcare organizations. Nothing less than patient privacy, data access, ransomware cash and even the institution's reputation could be put in play through slipshod data security practices.

But looming over America's hospitals and medical practices is a potentially deadlier threat: hackers or blackmailers taking over web-connected medical devices and threatening to inflict patient harm.

Healthcare cybersecurity professionals are sounding the alarm bells about a medical device industry that has lagged behind other industries in equipping their products with strong defenses against hacking. It's a problem providers can't avoid, even though they have limited staff to ensure that their medical device security is up-to-date and their networked data flow has adequate protections.

It has become common practice for hospitals to sequester devices in restricted parts of their networks so hackers can't exploit their weaknesses to infiltrate PCs and servers, said Tremayne Smith, chief information security officer at Ohio State University Wexner Medical Center.

“You have to manage it that way, because in my opinion, the medical device space has to catch up to the other more sophisticated places in our network and they shouldn't necessarily play in the same playground right now without being monitored,” Smith said.

A wide range of technologies that are critical to patient care are connected to the web and therefore vulnerable to hacking. Patient monitors, infusion pumps, imaging devices and diagnostic equipment can all be connected to providers' networks so they can automatically send information and files to the electronic health record and nursing station monitors or store files on hospital servers.

Theoretically, a hacker could force a life-saving device to malfunction, gain access to patient data from a patient monitor or imaging device, or simply as a gateway into the provider's network.

But the nightmare scenario is still theoretical—there's no known instance of a hacker using a device to harm a patient. That doesn't mean it won't happen.

“You don't need a car crash to know that a car is going to crash if the wheels are coming off,” said Kevin Fu, chief scientist at Virta Laboratories, a cybersecurity startup that wants to help hospitals better track their devices.

Some manufacturers have acknowledged that hackers could disrupt care for financial gain or other reasons, although that is often in response to prodding by the Food and Drug Administration. Manufacturers and the FDA alerted providers and patients to a number of vulnerable devices in the past few years, including in Hospira's Symbiq infusion pump and an insulin pump made by Johnson & Johnson subsidiary Animas Corp.

Some manufacturers have actively resisted acknowledging problems with their technologies. Last fall, St. Jude Medical, which was recently acquired by Abbott Laboratories, vehemently denied accusations by a short-selling firm that its defibrillators and other cardiac devices were vulnerable to hacks that could cause dangerous malfunctions. But after the FDA and Department of Homeland Security launched an investigation, which concluded earlier this month, the company admitted that a Merlin@home, a device that transmits data from a St. Jude cardiac implant, had a vulnerability that could allow hackers to deplete the device's battery or cause inappropriate pacing or shocks to the heart.

St. Jude recently released an automatically downloaded software update that addressed the problem. No injuries have been reported as a result of the vulnerability.

“The safety and security of patients is always our primary focus,” said Phil Ebeling, St. Jude's vice president and chief technology officer, in a statement earlier this month. “We'll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry.”

Because hackers can find vulnerabilities in software, some devicemakers have designed redundancies in their products' core features to guard against remote activation or access. The technology locks can also protect against malicious, in-person use of the devices.

For example, infusion pumps made by Becton, Dickinson and Co. require clinicians to push a physical button on the device to initiate an intravenous treatment. They also allow clinicians to program dose parameters into the machines. These safeguards are intended to protect against the nightmare scenario of a hacker remotely activating a pump and overdosing a patient. The devices use hospital networks to transmit data to the EHR.

Welch Allyn equipment that monitors and records patient vital signs can be configured to require authentication with clinician and patient credentials using either a login or barcode scanning. This protects the devices from remote hacking and ensures the data is transmitted to the right patient record. Some of BD's infusion pumps also offer barcode scanning of credentials and drugs.

While they are confident in the security of their devices, BD and Welch Allyn don't guarantee that their devices can't be manipulated. Some providers choose not to connect certain devices, concluding the potential for hacker disruption outweighs the convenience of transmitting diagnostic data directly to the EHR. Others don't have the infrastructure or expertise to do so.

This is especially true for Welch Allyn's vital signs devices, said Garrison Gomez, a senior director at Welch Allyn. A number of providers choose to type that information, such as body temperature or blood pressure, into the EHR separately.

But the accuracy and ease that come with connecting the devices directly to the EHR cannot be overstated, Gomez said. Manufacturers like Welch Allyn have ramped up efforts to protect their web-connected devices and invested in efforts to help providers design safer networks.

Many web-connected features have become available only in the past five years or so. During that time, devicemakers learned they needed to improve their security measures. Many have replaced Microsoft Windows operating systems with proprietary operating systems that should be harder to hack because they aren't public-facing and vary between brands.

But understanding the vulnerabilities in a network means having full inventory of the machines and software that are using it, and many healthcare organizations don't.

A Modern Healthcare survey found 31% of 51 respondents didn't have an accurate, complete record of all their web-connected devices, whether medical or nonmedical.

“If you don't know what equipment you have in your hospital, how are you going to protect it?” said Fu, of the cybersecurity startup Virta. Fu is also an associate professor of computer science and engineering at the University of Michigan in Ann Arbor.

Virta has developed BlueFlow, software that scans provider networks for connected medical devices and triages any security vulnerabilities to help providers determine what gaps should be addressed first. But even with adequate records some facilities still admit difficulties in getting staff to follow proper procedures in notifying IT staff about newly connected devices.

“While we are continually monitoring for these devices, we find instances where facilities will add devices and not inform corporate IT,” said one executive surveyed by Modern Healthcare.

In an effort to respond to weaknesses discovered by internal hackers and “white hat” hacker researchers, manufacturers offer security “patches” intended to resolve gaps in cyberdefense. St. Jude has released seven updates in the past three years for Merlin@home, the device recently deemed vulnerable by the FDA. The company plans to implement additional updates later this year to address remaining vulnerabilities. The FDA said the benefits of using the device outweigh any outstanding cybersecurity risks.

The FDA issued guidance in December that called on manufacturers to closely monitor, identify and respond to cybersecurity vulnerabilities as part of routine post-market surveillance of their devices. Rob Suarez, BD's director of product security, said the guidance has helped make it clear to manufacturers that software security patches generally don't require FDA review before release, and therefore should be expedited to ensure patient safety.

Even if manufacturers do their part in creating patches, providers don't always deploy them in a timely manner. Communication through direct contact and product security websites is crucial to ensuring devices are actually secured by end users, Suarez said. “We are developing those security patches for a reason.”

Cybersecurity experts and manufacturers alike told Modern Healthcare that providers have to get more serious about quickly and consistently implementing security patches.

Even when a manufacturer is diligent about making patches available, keeping up to date with them is taxing. Hospitals are often low on staff and have too many patients to take devices out of service for security patches, which must be tested to ensure they don't disrupt functionality. A large hospital or health system might have thousands of a particular device across numerous locations.

While some hospitals install patches to their devices every few months, others can go a year or more without updating their device software. At Nebraska Medicine and the University of Nebraska Medical Center, staff are looking every day for ways to be more efficient with testing and implementing software patches, said Sharon Welna, director of information security and compliance for the health system. But she emphasized that the hospital must take a measured approach to testing, even at the expense of time, because the risks of using a defective device are far too high.

“If a patch breaks something, you impact the healthcare of the patient, and you could potentially impact patient safety. Whereas, if you negatively impact the finance industry you're only impacting money,” Welna said. “Our testing has to be a little bit more deliberate than I think you need in other industries.”

The process of ensuring a provider's entire fleet of devices is patched is also complicated by an abundance of different operating systems running on different manufacturers' devices, said Dr. Dale Nordenberg, executive director of the Medical Device Innovation, Safety and Security Consortium, a not-for-profit organization that evaluates device security. MDISS is in the process of building a cybersurveillance network with risk profiles and threat intelligence that could help providers spend their resources where they are needed most.

At some point, devices get old enough that security patches are no longer available. Ideally, healthcare providers replace devices before that happens, but it's not always possible.

“There isn't a good solution right now. There's no silver bullet,” Nordenberg said. “The environment is very heterogeneous, and the challenges include many generations and many vendors.”