As COVID-19 swept the U.S., providers rapidly added web-connected equipment to increase patient data collection while minimizing touch points. But the technology may open hospitals up new vulnerabilities.
Data breaches often stem from hacks on email accounts, electronic medical records and other digital repositories. But medical devices create additional access points that hackers could target to enter a hospital's network and steal data, cybersecurity experts warn.
That concern has only expanded during the COVID-19 pandemic, as hospitals had to rapidly add equipment to address shortages of ventilators and other supplies, as well as deploy new devices to monitor patients inside and outside of their facilities.
"Whenever you have expanded remote networks and remote technology, the attack surface for the cybercriminals increases," said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association.
Experts have mostly worried that patients could be harmed by medical device vulnerabilities if a pacemaker is hacked or an infusion pump's drip is changed. Last year, researchers in Israel even developed malware capable of exploiting CT scanners to add fake cancerous growths.
There have been no documented cases where such hacks have resulted in patient harm, although cybersecurity experts cautioned that doesn't mean it hasn't happened.
It's more likely a hacker would take advantage of a medical device vulnerability to sneak into a hospital's broader network, or deploy malware at a hospital, which unintentionally spreads to critical patient care devices that are linked to the same network.
That's the greater patient safety concern, according to Dr. Christian Dameff, an emergency medicine physician and medical director of cybersecurity at UC San Diego.
"I'm far more convinced that the patient safety risk lies in the availability of critical medical devices at hospitals systems that take care of lots of patients, (rather than) some evil hacker in a basement trying to target someone with a pacemaker and intentionally causing (harm)," he said.
If a CT or MRI scanner unexpectedly becomes unavailable due to a ransomware attack, that could be disastrous for patients in the emergency department, Dameff said. Or, if ventilators in an intensive-care unit stop working properly, that could pose a threat to COVID-19 patients.
Hospitals got a hint of that during the WannaCry ransomware attack in 2017, which infected more than 200,000 computers and devices worldwide, including some radiology equipment. While it doesn't seem the hackers that released the malware were specifically targeting healthcare, its rapid spread enabled the worm to hit organizations including the U.K.'s National Health Service, disrupting appointments for thousands of patients.
It's not uncommon for larger systems to have more than 100,000 devices connected to their internal networks, according to Riggi. Anecdotally, he said his colleagues in the healthcare cybersecurity community typically estimate a hospital has 10 to 15 network-connected devices per bed.
"There's been incredible expansion of the use of (the internet of things), or internet-connected medical devices," Riggi said. "With the tremendous expansion of these network-connected devices, you also have tremendously expanded opportunities for cybercriminals to potentially penetrate hospitals' networks."
Matt Silva, chief information security officer at medical device giant GE Healthcare, said he has noticed an increased focus on cybersecurity from providers and device-makers alike since WannaCry.
"That was really a turning point," Silva said. "We started to see a lot more focus in everything from procurement of medical devices from customers, all the way through to more pointed questions around lifecycle management."
GE Healthcare helps identify medical device vulnerabilities by participating in information sharing and analysis centers, monitoring the National Vulnerability Database and working with outside cybersecurity researchers. Late last year, they discovered six vulnerabilities in GE Healthcare patient monitors after a researcher from cybersecurity company CyberMDX reported them to the company.
There are no known public exploits specifically targeting the six vulnerabilities, a group at the Homeland Security Department said in January.
But the vulnerability concerns have sparked federal action. The Food and Drug Administration bolstered its medical device cybersecurity policies in recent years and included cybersecurity as a key goal in its Medical Device Safety Action Plan.
"It has a whole page devoted to cyber," said Mari Savickis, vice president of public policy at the College of Healthcare Information Management Executives. "Several years ago, that would have been unheard of."
FDA issued a guidance on post-market considerations in 2016. Its pre-market guidance was published in 2014 and a draft update was released in 2018. But there's no anticipated date for the final guidance, according to Jessica Wilkerson, cyber policy adviser in the FDA's Center for Devices and Radiological Health.
But these documents are only guidances, not requirements, and that concerns hospital groups.
"Manufacturers adhere to those guidelines in varying degrees," AHA's Riggi said.
Providers and insurers are held to more stringent standards for protecting patient data under HIPAA.
According to FDA's Wilkerson, medical device manufacturers are required by agency regulations to maintain safe and effective devices; however, the regulations don't outline how device-makers should meet that cybersecurity bar.
FDA guidance is "the way that the agency answers recurring questions from industry about how best to meet our regulations," she said. Following it is the easiest way for manufacturers to prove they're meeting FDA's regulations.
Adding specific cybersecurity requirements to regulation would require congressional action.
"When you're writing policy, you have to work within the bounds of the authorities that are granted to (you)," said Seth Carmody, vice president of regulatory strategy at cybersecurity company MedCrypt. He worked on the 2016 post-market final guidance and 2018 pre-market draft guidance as a cybersecurity program manager in an FDA office.
The guidances have led to more vulnerability reports. Since FDA released its post-market guidance, the Department of Homeland Security's Industrial Control Systems-Cyber Emergency Response Team pushed out 66 advisories due to disclosed medical device vulnerabilities. That's up significantly from the three years prior to the 2016 guidance, when there were only 12 advisories published, according to data compiled by MedCrypt.
It's likely that vulnerabilities still existed before 2016, but companies may not have been reporting as frequently, said Vidya Murthy, vice president of operations at MedCrypt.
"I think the reality is, prior to the FDA's post-market guidance coming into play, device manufacturers were not necessarily coordinated enough in their vulnerability process," she said. "No piece of software is perfect."
Some hospitals have taken it on themselves to set guidelines for device-makers they work with.
About five years ago, leaders at Mayo Clinic looked at addressing medical device cybersecurity in their procurement process, said Debra Bruemmer, senior manager in the Rochester, Minn., health system's office of information security. They developed a standard process to assess cybersecurity risks for medical devices, such as noting the operating systems, how they receive patches and what third-party software is integrated in the product.
She noted hospitals can't develop their own patches for a device if they find a problem, which leaves them largely reliant on the manufacturer.
"Once you get a device here, you have to be very collaborative with the vendor," Bruemmer said. "If a vendor's not going to be a collaborative and receptive to sharing information about the security posture of their device when we go to buy it, it really lends us a clue to how receptive they're going to be to address security holes or gaps as we move forward."
Hospitals should also ensure there's collaboration between two often bifurcated departments: biomedical engineering and information technology.
Biomedical engineering, the team that maintains and manages medical devices at hospitals, typically doesn't have cybersecurity experience. IT, on the other hand, is largely expected to focus on managing servers and software. That means IT might manage the network that devices run on, but usually isn't involved with securing the devices themselves.
UCSD's Dameff also suggested adding clinicians to medical device cybersecurity discussions. They can help make sure biomed and IT teams are spending time and resources securing devices that are the most critical to patient safety.
"It's important to form interdisciplinary cybersecurity teams," Dameff said. That's what helps hospitals pinpoint "which systems, which workflows, are most vulnerable to attack."