Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Technology
January 20, 2018 12:00 AM

Hacked medical devices could wreak havoc on health systems

Rachel Z. Arndt
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Getty Images
    The FDA last month updated rules requiring hospitals and other providers to include the device identifier number in reports of patient deaths related to the use of a medical device.

    When doctors replaced then-Vice President Dick Cheney's pacemaker in 2007, they asked the manufacturer to disable the device's Wi-Fi, hoping to keep would-be hackers out.

    Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it's not out of the realm of possibility, and it's something healthcare digital security executives are working to prevent.

    THE TAKEAWAY

    Medical devices that are connected to hospital computer systems create vulnerabilities that can be difficult to manage.

    What's even more attractive to digital trespassers than hacking a pacemaker, though, is hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system's network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.

    Hacks into an increasingly connected healthcare system would also cut into organizations' bottom lines, since equipment might be out of commission for days.

    "In the past, we didn't really have to worry about bad actors with medical devices," said Joe Lewelling, vice president of emerging technologies and health information technology at the Association for the Advancement of Medical When doctors replaced then-Vice President Dick Cheney's pacemaker in 2007, they asked the manufacturer to disable the device's Wi-Fi, hoping to keep would-be hackers out.

    Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it's not out of the realm of possibility, and it's something healthcare digital security executives are working to prevent.

    What's even more attractive to digital trespassers than hacking a pacemaker, though, is hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system's network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.

    Hacks into an increasingly connected healthcare system would also cut into organizations' bottom lines, since equipment might be out of commission for days.

    "In the past, we didn't really have to worry about bad actors with medical devices," said Joe Lewelling, vice president of emerging technologies and health information technology at the Association for the Advancement of Medical Instrumentation. "That's no longer true."

    Healthcare organizations are growing increasingly concerned about the security of their devices—both those installed in hospitals and those installed in patients themselves. Keeping hackers at bay is more complicated, on a broader scale, than disabling a pacemaker here or there (even when that pacemaker belongs to the vice president). It requires training health system employees from the C-suite down, putting devices on secure parts of Wi-Fi networks, and keeping an eye on smaller issues, like default logins.

    "The same things that give these devices greater usefulness also make them more vulnerable from a security standpoint," said Dr. Sean Kelly, chief medical officer of cybersecurity firm Imprivata. "There becomes this tug of war between security and convenience."

    The risks

    "There's no such thing as absolute security in the electronic world," said Jim Shehan, senior counsel and chairman of the Food and Drug Administration regulatory practice for Lowenstein Sandler.

    There are various ways into a hospital's information systems. Hackers can go straight for the computers, using phishing emails—the most well-known technique—to work their way in.

    But they also can wriggle in through devices connected to a hospital's network, sneaking in through insecure connections. Nearly anything—an MRI or an infusion pump, for example—can be used as an entry point.

    Once inside, hackers could relatively easily disrupt an entire network. They could, for instance, install ransomware like WannaCry, which encrypts information so hackers can demand ransom in exchange for the decrypted files. Or they could steal protected health information.

    "The main consequence of a medical device security problem tends to be unavailability," said Kevin Fu, director of the Archimedes Center for Medical Device Security.

    No matter what hackers do, they pretty much always put patient safety at risk. Without access to EHRs, providers struggle to know patient histories and what's next in their care. Without access to medical devices, they can't run important tests.

    Even with access to those devices, they can't be sure, once a hacker is in the network, whether those devices will function correctly—whether an infusion pump will deliver the right dosage, for instance.

    "Sometimes we forget that security is a means to an end, and that end is better patient outcomes and safer and more effective devices," Fu said.

    Because medical devices are often built to last more than a few years, many of them at this point are already old from an internet security standpoint.

    "We have thousands of devices on our system," said Cris Ewell, chief information security officer for UW Medicine in Seattle. "I know I have many that still have legacy software on them. Sometimes, the manufacturers don't even have the updates and healthcare systems can't replace all their medical devices—it's cost-prohibitive."

    Indeed, legacy devices are of particular concern to security officers, who must balance risk with the cost of replacing those devices.

    "There's no real good fix except to upgrade to the next generation of device or find compensating controls, like robust logging and monitoring capability," said Russell Jones, a partner with Deloitte Risk and Financial Advisory.

    Then there are the devices that are actually inside of patients, like Cheney's pacemaker. Because those devices are rarely connected to hospital networks, they're less lucrative to break into.

    But in theory, a criminal could break in to hurt the person who has the device. Or, if the device is connected to some other network, they could steal information from that network, much as they would from a hospital network.

    Although what they might actually do is somewhat unclear, what is clear is the fear triggered by the very possibility of hacking—hence Cheney's disabled Wi-Fi and the firewalls put up around all sorts of devices installed in hospitals.

    The fixes

    "There's a need for long-term change in how devices are manufactured and developed and how they're supported," said Jennings Aske, chief information security officer at New York-Presbyterian.

    When medical device manufacturers don't make secure devices, it's up to health systems to pick up the slack.

    It's important for health systems to know, before anything is installed, what operating system is being used. So health systems should talk to device manufacturers pre-installation, said David Chou, chief information and digital officer of Children's Mercy Kansas City.

    Health systems should know what operating system a device is running and whether the manufacturer will support an upgrade—and whether it's even possible to upgrade the software.

    Something that might help with that is a software bill of materials, which many in the industry are calling for. The bill of materials would list all the software components a device contains.

    "If we knew the third-party software included in the devices we purchase, we could better track risks as software vulnerabilities are identified," Aske said.

    But there's still the problem of the devices that health systems have already installed on its network. As one solution, Ewell and others have turned to segmentation, which is when a network is divided into smaller networks, so a device is connected to only a subsection of the overall network. That way, should a hacker gain access to a device, he wouldn't gain access to the entire network.

    Firewalls are another solution, as is stepped-up monitoring of network traffic.

    Health systems might also get some help from device manufacturers, which sometimes offer updates and patches.

    But installing those upgrades can be tricky.

    "If you've got a machine that generates $1 million in revenue a day, it's really hard to tell your CFO that vulnerability is worth taking it off line for two days," said David Nickelson, director of health strategy and behavior change at Sapient Health.

    Even though manufacturers have begun building security into devices, it's sometimes not strong enough. For instance, devices often come with easy-to-guess default logins, such as "admin" for both the username and password. And devices might, by default, use insecure protocols for encryption.

    But one of the defaults may actually be helping: Many of these devices run on wired, rather than wireless, networks. That's a boon, since healthcare and other industries tend to be better at protecting wired devices compared to wireless devices.

    The politics

    In June, the Healthcare Industry Cybersecurity Task Force—a group established by HHS, as directed by the Cybersecurity Act of 2015—recommended that the government write policies to help healthcare organizations strengthen their defenses and adopt a new cybersecurity framework.

    But legislation has languished. A bill introduced in 2014 would have required government agencies to get software bills of materials for new products. And a bill introduced last year would have required the FDA to write "report cards" for networked devices.

    The FDA itself has issued guidance documents on device security, which agency representatives said could be updated.

    "As we learn more, we want to incrementally raise the expectations for the security of devices," said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

    Currently, the FDA recommends that manufacturers take cybersecurity into account when designing devices and continue to do so after the devices have been introduced.

    "It is important to us that manufacturers build security and develop a program through the lifetime of the device for maintenance," Schwartz said.

    That guidance is helpful, Nickelson said, but before it was issued, manufacturers saved money by paying less attention to security. "There's a fairly significant fleet of devices that have back-door vulnerabilities built in," he said.

    That leaves manufacturers and hospitals to bear the brunt of the responsibility, Aske said.

    "Manufacturers and health systems need to collaborate on addressing the risks," he said. "Large hospitals have to take a leadership role."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    IBM Quantum System One at Cleveland Clinic_4_0.jpg
    Cleveland Clinic, IBM unveil quantum computer
    Dr. Alice Zheng
    Women's digital health sector poised for growth, venture capitalist predicts
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing