Does it happen?

Medical devices, such as pacemakers, have significantly improved the health of many individuals. Without them and other essential gadgets, many people would die. One thing that you don’t think about when talking about these items is hacking. However, in recent years, they’ve become vulnerable to this. Why are people targeting them? How can this be prevented?

When it comes to hacking electronic devices, the last thing most people think of are pacemakers, insulin pumps, and other medical devices. Unfortunately, these are becoming increasingly targeted by malicious hackers. These machines live in an ecosystem of devices that are all connected, usually via Wi-Fi or radio frequency identification, which allows them to send data back to a central information hub. This means that hackers could potentially access the main network through a connected device. Once they have access to a health system, hackers can grab electronic health records, release software viruses that could disrupt hospital operations, and launch a ransomware attack. As the number of bedside and wearable/implanted devices has increased, the need for medical device security has also risen. Security experts point out the more things we add to a network, the more chances it can be impacted. It’s estimated that there’s an average of 10 to 15 internet-connected devices on each hospital bed. Any part of the network that is vulnerable makes the entire network vulnerable.

Implantable medical devices represent a relatively minor target for hackers because there’s not a lot of incentive for hackers to go after a target as small as a single pacemaker or infusion pump, unless that device is connected to a famous person like the leader of a country. The two main reasons for hacking implanted devices are getting access to medical/personal data to use it for financial/political gain or launching a ransomware attack. When it comes to PII (personally identifiable information) and PHI (protected health information) are among the most sensitive data that can be made public. This means its use by cybercriminals for extortion purposes could be vast. Despite these concerns, the most imminent threat is probably from ransomware because this can attack entire hospital systems. One study by Comparitech revealed that ransomware attacks on hospitals and healthcare companies resulted in more than $20 billion in lost revenue, lawsuits, and ransom paid just in 2020. Sadly, this is expected to escalate. The Covid-19 pandemic demonstrated just how much of a problem it could be. In April 2020, Interpol warned that cybercriminals are using ransomware to target healthcare organizations. They noted a significant swell in detected health system attacks since the start of the pandemic. As a result of the increased use of telehealth and remote patient monitoring during the pandemic, the threat of attack is rising at an unprecedented rate. Experts say it’s accelerated to a level that wasn’t expected during the next ten years.

Scientists at the University of California San Diego conducted a simulated attack to show just how vulnerable hospital networks are. They demonstrated how hackers could get blood and urine test results, alter them, and transmit the modified information into the electronic health record system. Those changes could cause doctors to mistakenly prescribe incorrect, and potentially deadly, treatments. Health records, test results, and prescriptions are all stored in the cloud, making them susceptible to hackers.

Another concern is that hackers can break into hospital networks, targeting specific pieces of medical equipment. For example, infusion pumps are on the network and, in many cases, run a Windows operating system, making them vulnerable to attack it just like anything else. These pumps supply patients with a wide assortment of drugs, including insulin, antibiotics, chemotherapy drugs, and pain relievers. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a part of the US Department of Homeland Security, identified multiple vulnerabilities in these pumps. The team is responsible for reducing risks within and across all critical infrastructure sectors and partnering with law enforcement agencies and the intelligence community. According to their 2017 report, “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump.”

Infusion pumps aren’t the only worry. Other medical machines, such as MRI scanners, are susceptible too. In May 2017, North Korea may have used a stolen National Security Agency (NSA) hacking tool to infect MRIs at US hospitals. The evidence isn’t unclear, but we know that as many as 200,000 Windows systems in hospitals and medical centers were broken into. The primary target was the Bayer Medrad medical device, which monitors chemicals used in MRI scans. This episode was the first time a medical instrument had been hacked in the United States. When made aware of the attack, Bayer sent out a Microsoft patch for the imaging equipment and all of their other Windows-based devices. While this ransomware attack didn’t threaten patient safety directly, it did stop scanning machines from working for an extended period. This lack of function could’ve resulted in many clinical mistakes, including an increased need for hospital resources and unnecessary care delays.

The idea of a need for cybersecurity with medical devices isn’t new. In 2013, the Food and Drug Administration (FDA) issued its first guidance on the topic, and it has since issued several more advisories as concerns have intensified. The Cybersecurity Act of 2015 established a Health Care Industry Cybersecurity Task Force to address a range of vulnerabilities in the healthcare industry. It’s a public-private collaboration and is expected to release guidelines on medical device security and best practices guidelines for hospital IT experts. In 2017, the FDA recalled 465,000 implantable pacemakers because of fears of being hacked. In October 2018, hackers showed they could remotely manipulate another popular pacemaker, which prompted the manufacturer to temporarily shut down part of its Internet network while securing the devices.

The process of protecting the security of medical devices is complicated because there are so many players, including manufacturers, hospital IT departments, healthcare providers, and patients. In 2018, the FDA issued a detailed new medical device safety plan, including a proposal to create a CyberMed Safety (Expert) Analysis Board. This public-private partnership would serve as a resource for device makers, medical centers, and the agency. The FDA also plans to put into practice greater premarket scrutiny of cybersecurity for medical devices and improve its system to identify and deal with threats when they arise. In October 2019, they warned healthcare providers about 11 cybersecurity vulnerabilities (URGENT/11) that may pose risks for specific medical devices and hospital networks. These exist in IPnet, a third-party software component that supports network communications between computers and affects several operating systems. At the time of the statement, the FDA said it wasn’t aware of any actual adverse events related to the weaknesses. They urged medical device manufacturers to work with healthcare providers to determine which devices might be affected and develop risk mitigation plans. It’s unclear to what extent that occurred.

Hospitals are like any organization subjected to a ransomware attack and will experience similar outcomes: widespread panic, confusion, and significant impairment of operational capacity. The added factor here is that it could lead to the tragic loss of life. Therefore, addressing security risks is critical to the practice of medicine in the 21st century. This will involve upgrading operating systems and implementing security patches to help prevent breaches for both hospital-wide networks and personal devices connected to the networks. The good news is healthcare is not waiting for the massive accident. According to a 2018 health information cybersecurity survey, over 84% of responding hospitals and healthcare systems said they increased resources to address cybersecurity concerns during that year alone. Over 83% had implemented new or improved security measures, and 65% replaced or upgraded IT software and related devices.

The science community is getting involved too. In 2021, the University of Minnesota created the Center for Medical Device Cybersecurity in partnership with medical device companies, such as Medtronic and Boston Scientific. The center is focused on helping groups that touch medical devices at every stage in their lifecycle, from their development to their use at a patient’s bedside. The goal is to understand and manage any cybersecurity risks.

If an implanted medical device is malfunctioning, the last thing doctors consider is that a device has been hacked. This means doctors have to learn to recognize that this can happen and treat that possibility as a differential diagnosis. To help with this, they need training in the basics of IT networks and networked devices. This instruction should be part of standard medical school education, with the curriculum centered on how to interact safely with networked technologies and recognize when devices have been compromised. While we can’t expect doctors to be IT experts, everyone who relies on these technologies needs to know the basics about what can happen if a hospital network is infected or a device is hacked.

The other education component is teaching individuals that internet-connected medical devices, like pacemakers, smartwatches, and blood pressure connected through an app, are all at risk. Unlike hospitals, home networks don’t have the same resources to help protect these devices. This means they’re most susceptible here. This is why educating individual consumers is so critical. It’s essential people use precautions like keeping passwords safe, changing passwords frequently, not clicking on suspicious emails, and making sure home Wi-Fi systems are secure. Another vital aspect is keeping medical product firmware updated because security enhancements provided by manufacturers and regulatory authorities are done through firmware revisions. Typically, this involves patients going to hospitals and clinics because trained medical staff are the only ones who can install the update.

Hospitals are increasingly connecting devices to the Internet, providing doctors and other healthcare workers with the latest information on how a patient is responding to treatments. While this does lead to better outcomes, all the connectivity comes at a price: a growing risk of getting hacked. There’s no question that medical device cybersecurity is specialized, and security isn’t a fixed state. It’s always going to be a process to enhance where improvement is needed and protect the most critical things. The best way to look at it is that the network is only as strong as the weakest link. Thankfully, healthcare organizations are taking this seriously and doing everything to minimize the threat.