Hacked medical devices could wreak havoc on health systems
Skip to main content
MDHC_Logotype_white
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • This Week's News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • People
    • Regional News
    • Digital Edition
    • Biden more bullish on vaccines, open to 1.5M daily shot goal
      Billing, antitrust exemption changes upend negotiations between insurers and providers
      Few nursing home residents have received second COVID-19 vaccine dose
      Fresenius building renal genomic registry to inform precision care for kidney disease
    • Biden more bullish on vaccines, open to 1.5M daily shot goal
      Few nursing home residents have received second COVID-19 vaccine dose
      The missing piece in our fight against COVID-19: primary care
      Google to convert office space for COVID-19 vax clinics
    • Ascension’s St. Mary’s Hospital Surgery Center at Towne Centre and Allegheny Health Network’s Bethel Park surgery center
      Hospitals see opportunity, risk in ambulatory surgery centers
      Health suffers as rural hospitals close
      Medicare ACO participants fell in 2021
      Louisiana gets reports vaccine providers are discriminating
    • Billing, antitrust exemption changes upend negotiations between insurers and providers
      MAIN-Health Bill_iStock_i.jpg
      Insurance-tech firm MultiPlan makes $155M buy after blank-check deal
      Last-minute COVID costs cut into UnitedHealthcare's $396 million operating income
      CMS approves rule forcing insurers to ease prior authorization
    • It's a secret: California keeps key virus data from public
      lacewell_linda_supertinendent_dept_of_financial_services_8.47.jpg
      New York state investigates drug price spikes during pandemic
      Health experts blame rapid expansion for vaccine shortages
      HHS freezes rule targeting community health centers' drug discounts
    • KPMG says deal activity will stay high in '21: 10 takeaways
      By the Numbers: 20 largest healthcare investment banks in 2020
      Providers await new HHS coronavirus grant reporting deadline
      Operation Warp Speed Dr. Moncef Slaoui, Pfizer Group President Angela Hwang, Moderna CEO Stephane Bancel, CVS Health Executive Vice President Karen Lynch and McKesson CEO Brian Tyler participate in a panel discussion on the COVID-19 vaccine.
      Hospitals, drug companies strive to stand out virtually at JPM
    • Google to convert office space for COVID-19 vax clinics
      Next Up Podcast: What to expect with telehealth and healthcare technology in the next 4 years - Transcript
      Dr. Karen DeSalvo
      Next Up Podcast: What to expect with telehealth and healthcare technology in the next four years
      A man in a room with servers.
      Momentum grows to outsource hospital tech functions in 2021
    • China pushes conspiracy theories on COVID origin, vaccines
      An older man wearing a mask receiving a vaccine.
      Want more diversity in clinical trials? Start with the researchers
      Avocado
      Avocado a day keeps the doctor away
      50% of Americans make resolutions. Fewer than 27% keep them over time.
      Data Points: Sticking with your resolutions
    • WEb_i.jpg
      Q&A: Dr. Cliff Megerian, University Hospitals' soon-to-be CEO
      ZentyWeb_i.jpg
      Tom Zenty is leaving a legacy of transformational growth at University Hospitals
      Cerner names Erceg as new CFO
      Elizabeth Richter will serve as acting CMS administrator
    • Midwest
    • Northeast
    • South
    • West
  • Insights
    • ACA 10 Years After
    • Best Practices
    • InDepth Special Reports
    • Innovations
    • The Affordable Care Act after 10 years
    • New care model helps primary-care practices treat obesity
      doctor with patient
      COVID-19 treatment protocol developed in the field helps patients recover
      Rachel Wyatt
      Project to curb pressure injuries in hospitals shows promise
      Yale New Haven's COVID-19 nurse-staffing model has long-term benefits
    • Modern Healthcare InDepth: Breaking the bias that impedes better healthcare
      Videos: Healthcare industry executives describe their encounters with racism
      Michellene Davis
      Healthcare leadership lacks the racial diversity needed to reduce health disparities
      Dr. James Hildreth
      How medical education can help fight racism
      Quotes from rebadged employees
      Outsourcing IT, revenue cycle takes toll on internal culture
    • A phone screen showing the question, "Mary we hope this information was helpful and we'd like to keep guiding you. Are you interested in knowing when it's your turn to receive the vaccine?"
      Chatbots, texting campaigns help manage influx of COVID vax questions
      A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      self service station
      COVID-19 pushes patient expectations toward self-service
      Targeting high-risk cancer patients with genetics
  • Transformation
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Highmark Health inks six-year cloud, tech deal with Google
      Study: 1 in 5 patients report discrimination when getting healthcare
      HHS proposes changing HIPAA privacy rules
      Android health records app launches at 230 health systems
    • California hospitals prepare ethical protocol to prioritize lifesaving care
      Amazon, JPMorgan Chase, Berkshire Hathaway disband Haven
      Digital pathways poised to reshape healthcare continuum in 2021
      Healthcare was the hardest hit by supply shortages across all U.S. industries
    • A phone screen showing the question, "Mary we hope this information was helpful and we'd like to keep guiding you. Are you interested in knowing when it's your turn to receive the vaccine?"
      Chatbots, texting campaigns help manage influx of COVID vax questions
      A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      New care model helps primary-care practices treat obesity
      How hospitals are building on COVID-19 telehealth momentum
    • Regional insurers bet big on virtual-first plans
      MedPAC votes to boost hospital payments, freeze or cut other providers
      Most Next Gen ACOs achieved bonuses in 2019
      Congress recalibrates Medicare Physician Fee Schedule after lobbying
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
    • Health Systems Financials
      Executive Compensation
      Physician Compensation
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
    • Wellstar CEO calls adapting for the pandemic her bold move
      Howard P. Kern
      Recognizing the value of telehealth in its infancy
      Dr. Stephen Markovich
      A bold move helped take him from family doctor to OhioHealth CEO
      Dr. Bruce Siegel
      Why taking a hospital not-for-profit was Dr. Bruce Siegel’s boldest move
    • Barry Ostrowsky
      Ending racism is a journey taken together; the starting point must be now
      Laura Lee Hall and Gary Puckrein
      Increased flu vaccination has never been more important for communities of color
      John Daniels Jr.
      Health equity: Making the journey from buzzword to reality
      Mark C. Clement and David Cook
      We all need to 'do something' to fight inequities and get healthcare right, for every patient, every time
    • The missing piece in our fight against COVID-19: primary care
      Ambulatory surgery centers offer extraordinary value in a high-cost healthcare system
       Alan B. Miller
      Looking ahead with optimism as we continue to transform healthcare
      Dr. Bruce Siegel
      By protecting the healthcare safety net, Biden can put us on the path to a stronger country
    • Letters: Eliminating bias in healthcare needs to be ‘deliberate and organic’
      Letters: Maybe dropping out of ACOs is a good thing for patients
      Letters: White House and Congress share blame for lack of national COVID strategy
      Letters: VA making strides to improve state veterans home inspections
    • Sponsored Content Provided By Optum
      How blockchain could ease frustration with the payment process
      Sponsored Content Provided By Optum
      Three steps to better data-sharing for payer and provider CIOs
      Sponsored Content Provided By Optum
      Reduce total cost of care: 6 reasons why providers and payers should tackle the challenge together
      Sponsored Content Provided By Optum
      Why CIOs went from back-office operators to mission-critical innovators
  • Awards
    • Award Programs
    • Nominate
    • Previous Award Programs
    • Other Award Programs
    • Best Places to Work in Healthcare Logo for Navigation
      Nominations Open - Best Places to Work in Healthcare
      Nominations Open - Health Care Hall of Fame
      Nominations Open - 50 Most Influential Clinical Executives
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Top 25 Minority Leaders
    • Top 25 Women Leaders
    • Excellence in Nursing Awards
    • Design Awards
    • Top 25 COOs in Healthcare
    • 100 Top Hospitals
    • ACHE Awards
  • Events
    • Conferences
    • Galas
    • Webinars
    • COVID-19 Event Tracker
    • bright.md logo lockup webinar
      Sponsored Content Provided By Bright.md
      Webinar: Enabling a hybrid care model — Streamlining the patient path to both telehealth and in-person care
    • Leadership Symposium
    • Healthcare Transformation Summit
    • Women Leaders in Healthcare Conference
    • Workplace of the Future Conference
    • Strategic Marketing Conference
    • Social Determinants of Health Symposium
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Minority Leaders Gala (2022)
    • Top 25 Women Leaders Gala
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
    • Dr. Karen DeSalvo
      Next Up Podcast: What to expect with telehealth and healthcare technology in the next four years
      Carter Dredge
      Next Up Podcast: Ready, set, innovate! Innovation and disruption in healthcare
      Next Up Podcast: COVID-19, social determinants highlight health inequities — what next?
      Ceci Connolly
      Next Up Podcast: How to navigate the murky post-election waters
    • Beyond the Byline: Regulators aim to boost value push with fraud and abuse law updates
      An older man wearing a mask receiving a vaccine.
      Beyond the Byline: Verifying information on the chaotic COVID-19 vaccine rollout
      doctor burnout
      Beyond the Byline: How healthcare supply chain struggles contribute to employee burnout
      Beyond the Byline: Covering race and diversity in the healthcare industry
    • Leading intention promote diversity and inclusion
      Introducing Healthcare Insider Podcast
    • The Check Up: Dr. Joseph Kerschner
      The Check Up: Dr. Joseph Kerschner of the Medical College of Wisconsin
      The Check Up: Chip Kahn
      The Check Up: Chip Kahn of the Federation of American Hospitals
      The Check Up: Trenda Ray
      The Check Up: Trenda Ray of the University of Arkansas for Medical Sciences
      The Check Up: Dr. Kenneth Davis
      The Check Up: Dr. Kenneth Davis of Mount Sinai Health System
    • Video: Ivana Naeymi Rad of Intelligent Medical Objects
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Technology
January 20, 2018 12:00 AM

Hacked medical devices could wreak havoc on health systems

Rachel Z. Arndt
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print
    Getty Images
    The FDA last month updated rules requiring hospitals and other providers to include the device identifier number in reports of patient deaths related to the use of a medical device.

    When doctors replaced then-Vice President Dick Cheney's pacemaker in 2007, they asked the manufacturer to disable the device's Wi-Fi, hoping to keep would-be hackers out.

    Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it's not out of the realm of possibility, and it's something healthcare digital security executives are working to prevent.

    THE TAKEAWAY

    Medical devices that are connected to hospital computer systems create vulnerabilities that can be difficult to manage.

    What's even more attractive to digital trespassers than hacking a pacemaker, though, is hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system's network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.

    Hacks into an increasingly connected healthcare system would also cut into organizations' bottom lines, since equipment might be out of commission for days.

    "In the past, we didn't really have to worry about bad actors with medical devices," said Joe Lewelling, vice president of emerging technologies and health information technology at the Association for the Advancement of Medical When doctors replaced then-Vice President Dick Cheney's pacemaker in 2007, they asked the manufacturer to disable the device's Wi-Fi, hoping to keep would-be hackers out.

    Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it's not out of the realm of possibility, and it's something healthcare digital security executives are working to prevent.

    What's even more attractive to digital trespassers than hacking a pacemaker, though, is hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system's network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.

    Hacks into an increasingly connected healthcare system would also cut into organizations' bottom lines, since equipment might be out of commission for days.

    "In the past, we didn't really have to worry about bad actors with medical devices," said Joe Lewelling, vice president of emerging technologies and health information technology at the Association for the Advancement of Medical Instrumentation. "That's no longer true."

    Healthcare organizations are growing increasingly concerned about the security of their devices—both those installed in hospitals and those installed in patients themselves. Keeping hackers at bay is more complicated, on a broader scale, than disabling a pacemaker here or there (even when that pacemaker belongs to the vice president). It requires training health system employees from the C-suite down, putting devices on secure parts of Wi-Fi networks, and keeping an eye on smaller issues, like default logins.

    "The same things that give these devices greater usefulness also make them more vulnerable from a security standpoint," said Dr. Sean Kelly, chief medical officer of cybersecurity firm Imprivata. "There becomes this tug of war between security and convenience."

    The risks

    "There's no such thing as absolute security in the electronic world," said Jim Shehan, senior counsel and chairman of the Food and Drug Administration regulatory practice for Lowenstein Sandler.

    There are various ways into a hospital's information systems. Hackers can go straight for the computers, using phishing emails—the most well-known technique—to work their way in.

    But they also can wriggle in through devices connected to a hospital's network, sneaking in through insecure connections. Nearly anything—an MRI or an infusion pump, for example—can be used as an entry point.

    Once inside, hackers could relatively easily disrupt an entire network. They could, for instance, install ransomware like WannaCry, which encrypts information so hackers can demand ransom in exchange for the decrypted files. Or they could steal protected health information.

    "The main consequence of a medical device security problem tends to be unavailability," said Kevin Fu, director of the Archimedes Center for Medical Device Security.

    No matter what hackers do, they pretty much always put patient safety at risk. Without access to EHRs, providers struggle to know patient histories and what's next in their care. Without access to medical devices, they can't run important tests.

    Even with access to those devices, they can't be sure, once a hacker is in the network, whether those devices will function correctly—whether an infusion pump will deliver the right dosage, for instance.

    "Sometimes we forget that security is a means to an end, and that end is better patient outcomes and safer and more effective devices," Fu said.

    Because medical devices are often built to last more than a few years, many of them at this point are already old from an internet security standpoint.

    "We have thousands of devices on our system," said Cris Ewell, chief information security officer for UW Medicine in Seattle. "I know I have many that still have legacy software on them. Sometimes, the manufacturers don't even have the updates and healthcare systems can't replace all their medical devices—it's cost-prohibitive."

    Indeed, legacy devices are of particular concern to security officers, who must balance risk with the cost of replacing those devices.

    "There's no real good fix except to upgrade to the next generation of device or find compensating controls, like robust logging and monitoring capability," said Russell Jones, a partner with Deloitte Risk and Financial Advisory.

    Then there are the devices that are actually inside of patients, like Cheney's pacemaker. Because those devices are rarely connected to hospital networks, they're less lucrative to break into.

    But in theory, a criminal could break in to hurt the person who has the device. Or, if the device is connected to some other network, they could steal information from that network, much as they would from a hospital network.

    Although what they might actually do is somewhat unclear, what is clear is the fear triggered by the very possibility of hacking—hence Cheney's disabled Wi-Fi and the firewalls put up around all sorts of devices installed in hospitals.

    The fixes

    "There's a need for long-term change in how devices are manufactured and developed and how they're supported," said Jennings Aske, chief information security officer at New York-Presbyterian.

    When medical device manufacturers don't make secure devices, it's up to health systems to pick up the slack.

    It's important for health systems to know, before anything is installed, what operating system is being used. So health systems should talk to device manufacturers pre-installation, said David Chou, chief information and digital officer of Children's Mercy Kansas City.

    Health systems should know what operating system a device is running and whether the manufacturer will support an upgrade—and whether it's even possible to upgrade the software.

    Something that might help with that is a software bill of materials, which many in the industry are calling for. The bill of materials would list all the software components a device contains.

    "If we knew the third-party software included in the devices we purchase, we could better track risks as software vulnerabilities are identified," Aske said.

    But there's still the problem of the devices that health systems have already installed on its network. As one solution, Ewell and others have turned to segmentation, which is when a network is divided into smaller networks, so a device is connected to only a subsection of the overall network. That way, should a hacker gain access to a device, he wouldn't gain access to the entire network.

    Firewalls are another solution, as is stepped-up monitoring of network traffic.

    Health systems might also get some help from device manufacturers, which sometimes offer updates and patches.

    But installing those upgrades can be tricky.

    "If you've got a machine that generates $1 million in revenue a day, it's really hard to tell your CFO that vulnerability is worth taking it off line for two days," said David Nickelson, director of health strategy and behavior change at Sapient Health.

    Even though manufacturers have begun building security into devices, it's sometimes not strong enough. For instance, devices often come with easy-to-guess default logins, such as "admin" for both the username and password. And devices might, by default, use insecure protocols for encryption.

    But one of the defaults may actually be helping: Many of these devices run on wired, rather than wireless, networks. That's a boon, since healthcare and other industries tend to be better at protecting wired devices compared to wireless devices.

    The politics

    In June, the Healthcare Industry Cybersecurity Task Force—a group established by HHS, as directed by the Cybersecurity Act of 2015—recommended that the government write policies to help healthcare organizations strengthen their defenses and adopt a new cybersecurity framework.

    But legislation has languished. A bill introduced in 2014 would have required government agencies to get software bills of materials for new products. And a bill introduced last year would have required the FDA to write "report cards" for networked devices.

    The FDA itself has issued guidance documents on device security, which agency representatives said could be updated.

    "As we learn more, we want to incrementally raise the expectations for the security of devices," said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

    Currently, the FDA recommends that manufacturers take cybersecurity into account when designing devices and continue to do so after the devices have been introduced.

    "It is important to us that manufacturers build security and develop a program through the lifetime of the device for maintenance," Schwartz said.

    That guidance is helpful, Nickelson said, but before it was issued, manufacturers saved money by paying less attention to security. "There's a fairly significant fleet of devices that have back-door vulnerabilities built in," he said.

    That leaves manufacturers and hospitals to bear the brunt of the responsibility, Aske said.

    "Manufacturers and health systems need to collaborate on addressing the risks," he said. "Large hospitals have to take a leadership role."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Google to convert office space for COVID-19 vax clinics
    Google to convert office space for COVID-19 vax clinics
    Next Up Podcast: What to expect with telehealth and healthcare technology in the next 4 years - Transcript
    Sponsored Content
    Get Free Newsletters

    Sign up for free enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today

    The weekly magazine, websites, research and databases provide a powerful and all-encompassing industry presence. We help you make informed business decisions and lead your organizations to success.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS
    • Instagram

    Stay Connected

    Join the conversation with Modern Healthcare through our social media pages

    MDHC_Logotype_white
    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • News
      • This Week's News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition
    • Insights
      • ACA 10 Years After
      • Best Practices
      • InDepth Special Reports
      • Innovations
    • Transformation
      • Patients
      • Operations
      • Care Delivery
      • Payment
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Award Programs
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Top 25 Minority Leaders
        • Top 25 Women Leaders
      • Nominate
      • Previous Award Programs
        • Excellence in Nursing Awards
        • Design Awards
        • Top 25 COOs in Healthcare
      • Other Award Programs
        • 100 Top Hospitals
        • ACHE Awards
    • Events
      • Conferences
        • Leadership Symposium
        • Healthcare Transformation Summit
        • Women Leaders in Healthcare Conference
        • Workplace of the Future Conference
        • Strategic Marketing Conference
        • Social Determinants of Health Symposium
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Minority Leaders Gala (2022)
        • Top 25 Women Leaders Gala
      • Webinars
      • COVID-19 Event Tracker
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing