"There's no such thing as absolute security in the electronic world," said Jim Shehan, senior counsel and chairman of the Food and Drug Administration regulatory practice for Lowenstein Sandler.
There are various ways into a hospital's information systems. Hackers can go straight for the computers, using phishing emails—the most well-known technique—to work their way in.
But they also can wriggle in through devices connected to a hospital's network, sneaking in through insecure connections. Nearly anything—an MRI or an infusion pump, for example—can be used as an entry point.
Once inside, hackers could relatively easily disrupt an entire network. They could, for instance, install ransomware like WannaCry, which encrypts information so hackers can demand ransom in exchange for the decrypted files. Or they could steal protected health information.
"The main consequence of a medical device security problem tends to be unavailability," said Kevin Fu, director of the Archimedes Center for Medical Device Security.
No matter what hackers do, they pretty much always put patient safety at risk. Without access to EHRs, providers struggle to know patient histories and what's next in their care. Without access to medical devices, they can't run important tests.
Even with access to those devices, they can't be sure, once a hacker is in the network, whether those devices will function correctly—whether an infusion pump will deliver the right dosage, for instance.
"Sometimes we forget that security is a means to an end, and that end is better patient outcomes and safer and more effective devices," Fu said.
Because medical devices are often built to last more than a few years, many of them at this point are already old from an internet security standpoint.
"We have thousands of devices on our system," said Cris Ewell, chief information security officer for UW Medicine in Seattle. "I know I have many that still have legacy software on them. Sometimes, the manufacturers don't even have the updates and healthcare systems can't replace all their medical devices—it's cost-prohibitive."
Indeed, legacy devices are of particular concern to security officers, who must balance risk with the cost of replacing those devices.
"There's no real good fix except to upgrade to the next generation of device or find compensating controls, like robust logging and monitoring capability," said Russell Jones, a partner with Deloitte Risk and Financial Advisory.
Then there are the devices that are actually inside of patients, like Cheney's pacemaker. Because those devices are rarely connected to hospital networks, they're less lucrative to break into.
But in theory, a criminal could break in to hurt the person who has the device. Or, if the device is connected to some other network, they could steal information from that network, much as they would from a hospital network.
Although what they might actually do is somewhat unclear, what is clear is the fear triggered by the very possibility of hacking—hence Cheney's disabled Wi-Fi and the firewalls put up around all sorts of devices installed in hospitals.