Beating the hackers
UA event focuses on cybersecurity for high-tech medical devices
An event at the University of Arizona’s medical school in Phoenix focuses on an emerging concern in medicine: Since new pacemakers, insulin pumps and other devices feature wireless connectivity, could a hacker gain access to them?
Five years ago, Marie Moe collapsed, unconscious, because her heart “was taking a break.”
Her heart rate dropped to 30 or 40 beats per minute, and she was rushed to the hospital to have a life-saving pacemaker installed.
At the time, Moe, who holds a doctorate in information security, was working for the Norwegian government as an incident responder, running an operation center to react to cyberattacks.
Soon after recovering from her operation, Moe began to wonder: What if her pacemaker could be hacked?
Preventing device cyberattacks
More than 100 medical professionals, cybersecurity experts, law-enforcement officials, policy makers and hackers gathered at the University of Arizona College of Medicine in Phoenix on Thursday and Friday to start a conversation about the sort of response the medical and cybersecurity community can develop to treat or prevent this kind of attack from occurring.
Newer models of medical devices like pacemakers, insulin pumps and medication pumps have wireless connectivity, so doctors can remotely access the device to monitor the patient or make changes to how the device operates.
But those very features also provide a back door for hackers to gain access to the device, just as they could any other information stored online.
“I found myself suddenly dependent on technology, inside of my body, that had connectivity to the internet,” Moe said. “This worried me as a security researcher, because connectivity leads to vulnerability, and I didn’t really trust the technology that was implanted inside of my body.”
If these medical-device security risks go unaddressed, Moe said, she worries it could “lead to potentially lethal attacks if you have someone with malicious intentions.”
Dr. Jeff Tully, one of the conference organizers, said cybersecurity and medicine “are in a critical state … but we don’t want to be seen as alarmists. We don’t want people running and screaming out of our conference to their cardiologist to ensure that they’re not at risk for being hacked.”
While there hasn’t yet been a reallife documented case of a patient’s medical implant being hacked, research proves such an attack is possi-
ble. Event co-organizer Dr. Christian Dameff said he believes the medical-cybersecurity industry needs to be proactive, not reactive.
“When we know of the first patient that dies of a cyberattack … you can’t put the genie back in the bottle,” Dameff said. “It’s going to usher in a new era of health-care cybersecurity where hospitals are going to be scrambling. That’s not the time to do it — the time to do it is now.” Likewise for device manufacturers. “We’re going to need to turn our focus from when we design these things to make sure that cybersecurity is built in on the ground floor and not as an afterthought,” Tully said.
The U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force issued a report June 2 on the evolution of medical technology and the potential security risks posed to patients.
The report found providers “cannot deliver effective and safe care without deeper digital connectivity.” But if that system is “connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs.” rooms, hooded individuals nefariously hacking and attacking the Pentagon,” Dameff said. “That’s not the case.”
In the world of hacking, there are two types: rogue “black hat” hackers seeking to exploit the system weaknesses they uncover, and “white hats,” the “good hackers,” who seek to build protections for systems after their weaknesses are discovered, Dameff said.
Having one foot in both worlds provides the doctors a clinical and technical perspective when considering security concerns, Tully said.
“All throughout our medical training, we were exposed to how proliferative technology has become in the care of our patients,” Tully said. “With our hacker backgrounds, we understood that these systems are no more different than your grandmother’s email, or bank records that have been hacked, or the government structures that have been targeted by hackers.”
Tully and Dameff place medical technology into two categories:
Devices used to treat patients, such as imaging machines and implants like pacemakers.
Digital infrastructure behind medical care, which includes electronic records and even the power grids that keep the lights on in hospitals.
Both are vulnerable to attack, the doctors said.
“Ransomware can target the infrastructure of the hospital,” Tully said. “A more precise attack can take advantage of the fact that a pacemaker communicates with a device in the patient’s home before sending data over Wi-Fi to the doctor’s office.”
The threat of hacking medical systems isn’t the stuff of science fiction. Recently, there have been numerous highprofile instances of hacking that impeded the ability of medical professionals to provide care to patients.
In May, a ransomware attack known as WannaCry targeted computers using outdated Windows software across the globe. Ransomware locks up a user’s computer, then scrambles and encrypts data that can only be unlocked when the decryption key is purchased from the hacker.
The computer system of the National Health Service, the national health-care system in the United Kingdom, was affected by the attack, which affected more than 200,000 victims in 150 countries.
It forced at least 16 NHS hospitals to cancel doctor’s appointments, delay surgeries and turn away patients. It took at least three days for the network to return to complete working order.
An August 2016 report issued by the U.S. Government Accountability Office found more than 113 million people had their health records hacked in 2015, which was the highest level since data tracking started in 2009.
The Hollywood Presbyterian Medical Center in California paid $17,000 in 2016 to buy a decryption code when a ransomware attack infected its computer systems. The hospital spent five days regaining control of the systems.
In 2014, the hacker collective Anonymous launched a denial-of-service attack against the Boston Children’s Hospital to make a political statement. This type of attack flooded the hospital’s servers, causing its website to shut down and affecting services for about a week.
Hackers can hold records hostage to extort money from hospitals or sell stolen personal information on the “dark net.” But when it comes to potentially holding someone’s medical device hostage, the reason is less clear-cut, Tully said.
“There are probably as many different motivations as there are hackers, and some do it for financial means; some people do it to see if they can, because it’s a challenge; and some people do have malicious intent that they’d satisfy by being able to hurt people, whether it’s targeted or completely at random,” he said.