Medical devices provide another window for hospital hackers
Skip to main content
MDHC_Logotype_white
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • This Week's News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • People
    • Regional News
    • Digital Edition
    • Regional insurers bet big on virtual-first plans
      Health suffers as rural hospitals close
      Nursing home residents hope to set an example on COVID-19 vaccination
      U.K. chief scientist says new virus variant may be more deadly
    • Nursing home residents hope to set an example on COVID-19 vaccination
      U.K. chief scientist says new virus variant may be more deadly
      It's a secret: California keeps key virus data from public
      COVID test pooling hampered by high positivity rates and logistical hurdles
    • Health suffers as rural hospitals close
      Medicare ACO participants fell in 2021
      Louisiana gets reports vaccine providers are discriminating
      'We know this is real': New clinics aid virus 'long-haulers'
    • Last-minute COVID costs cut into UnitedHealthcare's $396 million operating income
      CMS approves rule forcing insurers to ease prior authorization
      COVID-19 still a big uncertainty for insurers in 2021
      Health insurers' outlook boosted after Dems' Georgia win
    • It's a secret: California keeps key virus data from public
      lacewell_linda_supertinendent_dept_of_financial_services_8.47.jpg
      New York state investigates drug price spikes during pandemic
      Health experts blame rapid expansion for vaccine shortages
      HHS freezes rule targeting community health centers' drug discounts
    • Providers await new HHS coronavirus grant reporting deadline
      Operation Warp Speed Dr. Moncef Slaoui, Pfizer Group President Angela Hwang, Moderna CEO Stephane Bancel, CVS Health Executive Vice President Karen Lynch and McKesson CEO Brian Tyler participate in a panel discussion on the COVID-19 vaccine.
      Hospitals, drug companies strive to stand out virtually at JPM
      Intermountain, Trinity, Memorial Hermann behind $300M private equity fund
      Operation Warp Speed to bump up McKesson's stock price
    • A man in a room with servers.
      Momentum grows to outsource hospital tech functions in 2021
      5 things to know about Google's $2.1B Fitbit acquisition
      Providence bets on machine-learning, consolidating data centers
      Mental health treatment was most common telehealth service during COVID
    • U.K. chief scientist says new virus variant may be more deadly
      Mobile labs take vaccine studies to diverse neighborhoods
      As virus surges, states reporting shortages of vaccine
      Sticking to Mediterranean diet is good for the brain
    • Cerner names Erceg as new CFO
      Elizabeth Richter will serve as acting CMS administrator
      Providence names new chief financial officer
      Wisconsin's top health official departing for federal job
    • Midwest
    • Northeast
    • South
    • West
  • Insights
    • ACA 10 Years After
    • Best Practices
    • InDepth Special Reports
    • Innovations
    • The Affordable Care Act after 10 years
    • New care model helps primary-care practices treat obesity
      doctor with patient
      COVID-19 treatment protocol developed in the field helps patients recover
      Rachel Wyatt
      Project to curb pressure injuries in hospitals shows promise
      Yale New Haven's COVID-19 nurse-staffing model has long-term benefits
    • Michellene Davis
      Healthcare leadership lacks the racial diversity needed to reduce health disparities
      Dr. James Hildreth
      How medical education can help fight racism
      Modern Healthcare InDepth: Breaking the bias that impedes better healthcare
      Videos: Healthcare industry executives describe their encounters with racism
      Quotes from rebadged employees
      Outsourcing IT, revenue cycle takes toll on internal culture
    • A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      self service station
      COVID-19 pushes patient expectations toward self-service
      Targeting high-risk cancer patients with genetics
      A nurse holds up a phone with a message to a family member saying surgery has started.
      Texting, tablets help hospitals keep family updated on patient care
  • Transformation
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Highmark Health inks six-year cloud, tech deal with Google
      Study: 1 in 5 patients report discrimination when getting healthcare
      HHS proposes changing HIPAA privacy rules
      Android health records app launches at 230 health systems
    • California hospitals prepare ethical protocol to prioritize lifesaving care
      Amazon, JPMorgan Chase, Berkshire Hathaway disband Haven
      Digital pathways poised to reshape healthcare continuum in 2021
      Healthcare was the hardest hit by supply shortages across all U.S. industries
    • A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      New care model helps primary-care practices treat obesity
      How hospitals are building on COVID-19 telehealth momentum
      Researchers: Hospital price variation exacerbates health inequities
    • Regional insurers bet big on virtual-first plans
      MedPAC votes to boost hospital payments, freeze or cut other providers
      Most Next Gen ACOs achieved bonuses in 2019
      Congress recalibrates Medicare Physician Fee Schedule after lobbying
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
    • Health Systems Financials
      Executive Compensation
      Physician Compensation
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
    • Wellstar CEO calls adapting for the pandemic her bold move
      Howard P. Kern
      Recognizing the value of telehealth in its infancy
      Dr. Stephen Markovich
      A bold move helped take him from family doctor to OhioHealth CEO
      Dr. Bruce Siegel
      Why taking a hospital not-for-profit was Dr. Bruce Siegel’s boldest move
    • Barry Ostrowsky
      Ending racism is a journey taken together; the starting point must be now
      Laura Lee Hall and Gary Puckrein
      Increased flu vaccination has never been more important for communities of color
      John Daniels Jr.
      Health equity: Making the journey from buzzword to reality
      Mark C. Clement and David Cook
      We all need to 'do something' to fight inequities and get healthcare right, for every patient, every time
    • Dr. Bruce Siegel
      By protecting the healthcare safety net, Biden can put us on the path to a stronger country
      Healing healthcare: some ideas for triage by the new Congress, administration
      Dr. Sachin H. Jain
      Medicare for All? The better route to universal coverage would be Medicare Advantage for All
      Connectivity: a social determinant of health that can exacerbate all the others
    • Letters: Eliminating bias in healthcare needs to be ‘deliberate and organic’
      Letters: Maybe dropping out of ACOs is a good thing for patients
      Letters: White House and Congress share blame for lack of national COVID strategy
      Letters: VA making strides to improve state veterans home inspections
    • Sponsored Content Provided By Optum
      How blockchain could ease frustration with the payment process
      Sponsored Content Provided By Optum
      Three steps to better data-sharing for payer and provider CIOs
      Sponsored Content Provided By Optum
      Reduce total cost of care: 6 reasons why providers and payers should tackle the challenge together
      Sponsored Content Provided By Optum
      Why CIOs went from back-office operators to mission-critical innovators
  • Awards
    • Award Programs
    • Nominate
    • Previous Award Programs
    • Other Award Programs
    • Best Places to Work in Healthcare Logo for Navigation
      Nominations Open - Best Places to Work in Healthcare
      Nominations Open - Health Care Hall of Fame
      Nominations Open - 50 Most Influential Clinical Executives
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Top 25 Minority Leaders
    • Top 25 Women Leaders
    • Excellence in Nursing Awards
    • Design Awards
    • Top 25 COOs in Healthcare
    • 100 Top Hospitals
    • ACHE Awards
  • Events
    • Conferences
    • Galas
    • Webinars
    • COVID-19 Event Tracker
    • Leadership Symposium
    • Healthcare Transformation Summit
    • Women Leaders in Healthcare Conference
    • Workplace of the Future Conference
    • Strategic Marketing Conference
    • Social Determinants of Health Symposium
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Minority Leaders Gala (2022)
    • Top 25 Women Leaders Gala
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
    • Carter Dredge
      Next Up Podcast: Ready, set, innovate! Innovation and disruption in healthcare
      Next Up Podcast: COVID-19, social determinants highlight health inequities — what next?
      Ceci Connolly
      Next Up Podcast: How to navigate the murky post-election waters
      Next Up Podcast: Saving Rural Health
    • Beyond the Byline: Regulators aim to boost value push with fraud and abuse law updates
      An older man wearing a mask receiving a vaccine.
      Beyond the Byline: Verifying information on the chaotic COVID-19 vaccine rollout
      doctor burnout
      Beyond the Byline: How healthcare supply chain struggles contribute to employee burnout
      Beyond the Byline: Covering race and diversity in the healthcare industry
    • Leading intention promote diversity and inclusion
      Introducing Healthcare Insider Podcast
    • The Check Up: Chip Kahn
      The Check Up: Chip Kahn of the Federation of American Hospitals
      The Check Up: Trenda Ray
      The Check Up: Trenda Ray of the University of Arkansas for Medical Sciences
      The Check Up: Dr. Kenneth Davis
      The Check Up: Dr. Kenneth Davis of Mount Sinai Health System
      The Check Up: Dr. Thomas McGinn
      The Check Up: Dr. Thomas McGinn of CommonSpirit Health
    • Video: Ivana Naeymi Rad of Intelligent Medical Objects
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
July 29, 2020 10:30 AM

Medical devices provide another window for hospital hackers

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    As COVID-19 swept the U.S., providers rapidly added web-connected equipment to increase patient data collection while minimizing touch points. But the technology may open hospitals up new vulnerabilities.

    Data breaches often stem from hacks on email accounts, electronic medical records and other digital repositories. But medical devices create additional access points that hackers could target to enter a hospital's network and steal data, cybersecurity experts warn.

    That concern has only expanded during the COVID-19 pandemic, as hospitals had to rapidly add equipment to address shortages of ventilators and other supplies, as well as deploy new devices to monitor patients inside and outside of their facilities.

    "Whenever you have expanded remote networks and remote technology, the attack surface for the cybercriminals increases," said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association.

    Experts have mostly worried that patients could be harmed by medical device vulnerabilities if a pacemaker is hacked or an infusion pump's drip is changed. Last year, researchers in Israel even developed malware capable of exploiting CT scanners to add fake cancerous growths.

    There have been no documented cases where such hacks have resulted in patient harm, although cybersecurity experts cautioned that doesn't mean it hasn't happened.

    It's more likely a hacker would take advantage of a medical device vulnerability to sneak into a hospital's broader network, or deploy malware at a hospital, which unintentionally spreads to critical patient care devices that are linked to the same network.

    That's the greater patient safety concern, according to Dr. Christian Dameff, an emergency medicine physician and medical director of cybersecurity at UC San Diego.

    "I'm far more convinced that the patient safety risk lies in the availability of critical medical devices at hospitals systems that take care of lots of patients, (rather than) some evil hacker in a basement trying to target someone with a pacemaker and intentionally causing (harm)," he said.

    If a CT or MRI scanner unexpectedly becomes unavailable due to a ransomware attack, that could be disastrous for patients in the emergency department, Dameff said. Or, if ventilators in an intensive-care unit stop working properly, that could pose a threat to COVID-19 patients.

    Hospitals got a hint of that during the WannaCry ransomware attack in 2017, which infected more than 200,000 computers and devices worldwide, including some radiology equipment. While it doesn't seem the hackers that released the malware were specifically targeting healthcare, its rapid spread enabled the worm to hit organizations including the U.K.'s National Health Service, disrupting appointments for thousands of patients.

    It's not uncommon for larger systems to have more than 100,000 devices connected to their internal networks, according to Riggi. Anecdotally, he said his colleagues in the healthcare cybersecurity community typically estimate a hospital has 10 to 15 network-connected devices per bed.

    "There's been incredible expansion of the use of (the internet of things), or internet-connected medical devices," Riggi said. "With the tremendous expansion of these network-connected devices, you also have tremendously expanded opportunities for cybercriminals to potentially penetrate hospitals' networks."

    Matt Silva, chief information security officer at medical device giant GE Healthcare, said he has noticed an increased focus on cybersecurity from providers and device-makers alike since WannaCry.

    "That was really a turning point," Silva said. "We started to see a lot more focus in everything from procurement of medical devices from customers, all the way through to more pointed questions around lifecycle management."

    GE Healthcare helps identify medical device vulnerabilities by participating in information sharing and analysis centers, monitoring the National Vulnerability Database and working with outside cybersecurity researchers. Late last year, they discovered six vulnerabilities in GE Healthcare patient monitors after a researcher from cybersecurity company CyberMDX reported them to the company.

    There are no known public exploits specifically targeting the six vulnerabilities, a group at the Homeland Security Department said in January.

    But the vulnerability concerns have sparked federal action. The Food and Drug Administration bolstered its medical device cybersecurity policies in recent years and included cybersecurity as a key goal in its Medical Device Safety Action Plan.

    "It has a whole page devoted to cyber," said Mari Savickis, vice president of public policy at the College of Healthcare Information Management Executives. "Several years ago, that would have been unheard of."

    FDA issued a guidance on post-market considerations in 2016. Its pre-market guidance was published in 2014 and a draft update was released in 2018. But there's no anticipated date for the final guidance, according to Jessica Wilkerson, cyber policy adviser in the FDA's Center for Devices and Radiological Health.

    But these documents are only guidances, not requirements, and that concerns hospital groups.

    "Manufacturers adhere to those guidelines in varying degrees," AHA's Riggi said.

    Providers and insurers are held to more stringent standards for protecting patient data under HIPAA.

    According to FDA's Wilkerson, medical device manufacturers are required by agency regulations to maintain safe and effective devices; however, the regulations don't outline how device-makers should meet that cybersecurity bar.

    FDA guidance is "the way that the agency answers recurring questions from industry about how best to meet our regulations," she said. Following it is the easiest way for manufacturers to prove they're meeting FDA's regulations.

    Adding specific cybersecurity requirements to regulation would require congressional action.

    "When you're writing policy, you have to work within the bounds of the authorities that are granted to (you)," said Seth Carmody, vice president of regulatory strategy at cybersecurity company MedCrypt. He worked on the 2016 post-market final guidance and 2018 pre-market draft guidance as a cybersecurity program manager in an FDA office.

    The guidances have led to more vulnerability reports. Since FDA released its post-market guidance, the Department of Homeland Security's Industrial Control Systems-Cyber Emergency Response Team pushed out 66 advisories due to disclosed medical device vulnerabilities. That's up significantly from the three years prior to the 2016 guidance, when there were only 12 advisories published, according to data compiled by MedCrypt.

    It's likely that vulnerabilities still existed before 2016, but companies may not have been reporting as frequently, said Vidya Murthy, vice president of operations at MedCrypt.

    "I think the reality is, prior to the FDA's post-market guidance coming into play, device manufacturers were not necessarily coordinated enough in their vulnerability process," she said. "No piece of software is perfect."

    Some hospitals have taken it on themselves to set guidelines for device-makers they work with.

    About five years ago, leaders at Mayo Clinic looked at addressing medical device cybersecurity in their procurement process, said Debra Bruemmer, senior manager in the Rochester, Minn., health system's office of information security. They developed a standard process to assess cybersecurity risks for medical devices, such as noting the operating systems, how they receive patches and what third-party software is integrated in the product.

    She noted hospitals can't develop their own patches for a device if they find a problem, which leaves them largely reliant on the manufacturer.

    "Once you get a device here, you have to be very collaborative with the vendor," Bruemmer said. "If a vendor's not going to be a collaborative and receptive to sharing information about the security posture of their device when we go to buy it, it really lends us a clue to how receptive they're going to be to address security holes or gaps as we move forward."

    Hospitals should also ensure there's collaboration between two often bifurcated departments: biomedical engineering and information technology.

    Biomedical engineering, the team that maintains and manages medical devices at hospitals, typically doesn't have cybersecurity experience. IT, on the other hand, is largely expected to focus on managing servers and software. That means IT might manage the network that devices run on, but usually isn't involved with securing the devices themselves.

    UCSD's Dameff also suggested adding clinicians to medical device cybersecurity discussions. They can help make sure biomed and IT teams are spending time and resources securing devices that are the most critical to patient safety.

    "It's important to form interdisciplinary cybersecurity teams," Dameff said. That's what helps hospitals pinpoint "which systems, which workflows, are most vulnerable to attack."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Excellus Blue Cross and Blue Shield to pay $5.1M HIPAA penalty
    Excellus Blue Cross and Blue Shield to pay $5.1M HIPAA penalty
    4 cyberscams for hospitals to watch out for
    4 cyberscams for hospitals to watch out for
    Sponsored Content
    Get Free Newsletters

    Sign up for free enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today

    The weekly magazine, websites, research and databases provide a powerful and all-encompassing industry presence. We help you make informed business decisions and lead your organizations to success.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS
    • Instagram

    Stay Connected

    Join the conversation with Modern Healthcare through our social media pages

    MDHC_Logotype_white
    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • News
      • This Week's News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition
    • Insights
      • ACA 10 Years After
      • Best Practices
      • InDepth Special Reports
      • Innovations
    • Transformation
      • Patients
      • Operations
      • Care Delivery
      • Payment
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Award Programs
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Top 25 Minority Leaders
        • Top 25 Women Leaders
      • Nominate
      • Previous Award Programs
        • Excellence in Nursing Awards
        • Design Awards
        • Top 25 COOs in Healthcare
      • Other Award Programs
        • 100 Top Hospitals
        • ACHE Awards
    • Events
      • Conferences
        • Leadership Symposium
        • Healthcare Transformation Summit
        • Women Leaders in Healthcare Conference
        • Workplace of the Future Conference
        • Strategic Marketing Conference
        • Social Determinants of Health Symposium
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Minority Leaders Gala (2022)
        • Top 25 Women Leaders Gala
      • Webinars
      • COVID-19 Event Tracker
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing