The internet of things that can be hacked
When doctors replaced then-Vice President Dick Cheney’s pacemaker in 2007, they asked the manufacturer to disable the device’s Wi-Fi, hoping to keep would-be hackers out.
Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it’s not out of the realm of possibility, and it’s something healthcare digital security executives are working to prevent.
What’s even more attractive to digital trespassers than hacking a pacemaker, though, is hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system’s network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.
Hacks into an increasingly connected healthcare system would also cut into organizations’ bottom lines, since equipment might be out of commission for days.
“In the past, we didn’t really have to worry about bad ac- tors with medical devices,” said Joe Lewelling, vice president of emerging technologies and health information technology at the Association for the Advancement of Medical Instrumentation. “That’s no longer true.”
Healthcare organizations are growing increasingly concerned about the security of their devices—both those installed in hospitals and those installed in patients themselves. Keeping hackers at bay is more complicated, on a broader scale, than disabling a pacemaker here or there (even when that pacemaker belongs to the vice president). It requires training health system employees from the C-suite down, putting devices on secure parts of Wi-Fi networks, and keeping an eye on smaller issues, like default logins.
“The same things that give these devices greater usefulness also make them more vulnerable from a security standpoint,” said Dr. Sean Kelly, chief medical officer of cybersecurity firm Imprivata. “There becomes this tug of war between security and convenience.”
The risks
“There’s no such thing as absolute security in the electronic world,” said Jim Shehan, senior counsel and chairman of the Food and Drug Administration regulatory practice for Lowenstein Sandler.
There are various ways into a hospital’s information systems. Hackers can go straight for the computers, using phishing emails—the most well-known technique—to work their way in.
But they also can wriggle in through devices connected to a hospital’s network, sneaking in through insecure connections. Nearly anything—an MRI or an infusion pump, for example—can be used as an entry point.
Once inside, hackers could relatively easily disrupt an entire network. They could, for instance, install ransomware like WannaCry, which encrypts information so hackers can demand ransom in exchange for the decrypted files. Or they could steal protected health information.
“The main consequence of a medical device security problem tends to be unavailability,” said Kevin Fu, director of the Archimedes Center for Medical Device Security.
No matter what hackers do, they pretty much always put patient safety at risk. Without access to EHRs, providers struggle to know patient histories and what’s next in their care. Without access to medical devices, they can’t run important tests.
Even with access to those devices, they can’t be sure, once a hacker is in the network, whether those devices will function correctly—whether an infusion pump will deliver the right dosage, for instance.
“Sometimes we forget that security is a means to an end, and that end is better patient outcomes and safer and more effective devices,” Fu said.
Because medical devices are often built to last more than a few years, many of them at this point are already old from an internet security standpoint.
“We have thousands of devices on our system,” said Cris Ewell, chief information security officer for UW Medicine in Seattle. “I know I have many that still have legacy software on them. Sometimes, the manufacturers don’t even have the updates and healthcare systems can’t replace all their medical devices—it’s cost-prohibitive.”
Indeed, legacy devices are of particular concern to security officers, who must balance risk with the cost of re-
“The same things that give these devices greater usefulness also make them more vulnerable from a security standpoint. There becomes this tug of war between security and convenience.” Dr. Sean Kelly, chief medical officer of cybersecurity firm Imprivata
placing those devices.
“There’s no real good fix except to upgrade to the next generation of device or find compensating controls, like robust logging and monitoring capability,” said Russell Jones, a partner with Deloitte Risk and Financial Advisory.
Then there are the devices that are actually inside of patients, like Cheney’s pacemaker. Because those devices are rarely connected to hospital networks, they’re less lucrative to break into.
But in theory, a criminal could break in to hurt the person who has the device. Or, if the device is connected to some other network, they could steal information from that network, much as they would from a hospital network.
Although what they might actually do is somewhat unclear, what is clear is the fear triggered by the very possibility of hacking—hence Cheney’s disabled Wi-Fi and the firewalls put up around all sorts of devices installed in hospitals.
The fixes
“There’s a need for long-term change in how devices are manufactured and developed and how they’re supported,” said Jennings Aske, chief information security officer at New York-Presbyterian.
“If you’ve got a machine that generates $1 million in revenue a day, it’s really hard to tell your CFO that vulnerability is worth taking it offline for two days.” David Nickelson, director of health strategy and behavior change at Sapient Health
When medical device manufacturers don’t make secure devices, it’s up to health systems to pick up the slack.
It’s important for health systems to know, before anything is installed, what operating system is being used. So health systems should talk to device manufacturers pre-installation, said David Chou, chief information and digital officer of Children’s Mercy Kansas City.
Health systems should know what operating system a device is running and whether the manufacturer will support an upgrade—and whether it’s even possible to upgrade the software.
Something that might help with that is a software bill of materials, which many in the industry are calling for. The bill of materials would list all the software components a device contains.
“If we knew the third-party software included in the devices we purchase, we could better track risks as software vulnerabilities are identified,” Aske said.
But there’s still the problem of the devices that health systems have already installed on its network. As one solution, Ewell and others have turned to segmentation, which is when a network is divided into smaller networks, so a device is connected to only a subsection of the overall network. That way, should a hacker gain access to a device, he wouldn’t gain access to the entire network.
Firewalls are another solution, as is stepped-up monitoring of network traffic.
Health systems might also get some help from device manufacturers, which sometimes offer updates and patches.
But installing those upgrades can be tricky. “If you’ve got a machine that generates $1 million in revenue a day, it’s really hard to tell your CFO that vulnerability is worth taking it off line for two days,” said David Nickelson, director of health strategy and behavior change at Sapient Health.
Even though manufacturers have begun building security into devices, it’s sometimes not strong enough. For instance, devices often come with easy-to-guess default logins, such as “admin” for both the username and password. And devices might, by default, use insecure protocols for encryption.
But one of the defaults may actually be helping: Many of these devices run on wired, rather than wireless, networks. That’s a boon, since healthcare and other industries tend to be better at protecting wired devices compared to wireless devices.
The politics
In June, the Healthcare Industry Cybersecurity Task Force—a group established by HHS, as directed by the Cybersecurity Act of 2015—recommended that the government write policies to help healthcare organizations strengthen their defenses and adopt a new cybersecurity framework.
But legislation has languished. A bill introduced in 2014 would have required government agencies to get software bills of materials for new products. And a bill introduced last year would have required the FDA to write “report cards” for networked devices.
The FDA itself has issued guidance documents on device security, which agency representatives said could be updated.
“As we learn more, we want to incrementally raise the expectations for the security of devices,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.
Currently, the FDA recommends that manufacturers take cybersecurity into account when designing devices and continue to do so after the devices have been introduced.
“It is important to us that manufacturers build security and develop a program through the lifetime of the device for maintenance,” Schwartz said.
That guidance is helpful, Nickelson said, but before it was issued, manufacturers saved money by paying less attention to security. “There’s a fairly significant fleet of devices that have back-door vulnerabilities built in,” he said.
That leaves manufacturers and hospitals to bear the brunt of the responsibility, Aske said.
“Manufacturers and health systems need to collaborate on addressing the risks,” he said. “Large hospitals have to
● take a leadership role.”