Hackers’ Next Target: Medical Devices

You’ve heard of ransomware, when criminal hackers take over your computer and attempt to extort money to give control of it back to you.

Imagine someone doing that with your insulin pump. Or your mom’s pacemaker.

It’s not just a plot from the TV show “Homeland.” Former Vice President Dick Cheney had the wireless capabilities on his pacemaker disabled in 2007 out of concerns over hacking. It’s possible, and that possibility has health care professionals watchful.

Wireless technology is seen as a way to make keeping track of one’s health easier. There are apps that allow people to measure everything from the number of steps they are taking each day to their heart rate. Telehealth, where doctors can monitor and keep in touch with patients from far away, is becoming more common.

But with advances come unforeseen glitches and people wanting to exploit the technology for nefarious goals.

According to a report by Jennifer Madary Houck, published by Washington Internships for Students of Engineering (WISE), about 23 percent of all the recalls of medical devices between 2006 and 2011 were due to software-related problems, and 94 percent of those presented a medium or high risk of severe consequences for patients, including serious injury or even death.

The makers of medical devices, researchers, health care providers, and the government have to work together to reduce the threat, says Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the Food and Drug Administration.

“[Cybersecurity] is getting a lot of attention, as it spans across all critical infrastructure,” she says. “It’s important to be proactive to strengthen security.”

The devices that draw the most concern are pacemakers, implantable cardiac defibrillators, and insulin pumps. All use wireless technology. Pacemakers and ICDs have wireless transmitters, which allow for detecting irregular heartbeats, and also allow doctors to change the instructions to the device. Insulin pumps have a glucose monitor, and patients use a wireless remote control to manage their insulin settings.

The devices are vulnerable in several ways. The remote control capability could be an opening to give a hacker or cyberattacker control of the device. The wireless communication feature, used to transmit data to the health care provider, can be used to gain access to the device and the data, if the device is not encrypted. Devices based on older designs might not be up to date in terms of security, and may not be getting security patches.

It’s not just individuals who may be targeted. Cyberattacks and viruses could target an entire hospital network, which could compromise patient information, both in terms of data theft and the ability for the hospital to access accurate information to treat patients. A hack could also be used as a way to extort money from a device maker.

Device makers and health care providers are reluctant to discuss the threat, fearing the possibility of tipping off hackers and cyberattackers to vulnerabilities.

There will always be vulnerabilities, Dr. Schwartz said. But vigilance can prevent them from becoming dangerous ones.

In December of 2016, the Food and Drug Administration issued a draft guidance outlining recommendations to improve security for medical devices. Among the suggestions:

• Information-sharing by manufacturers to respond to cybersecurity risks quickly and effectively.
• Establishing a clear process for how cybersecurity risks are handled, and how they are disclosed.
• A quick response to identified cybersecurity risks.

Dr. Schwartz believes checking for vulnerabilities, and disclosing them, should be normative practice in the maintenance of devices.

“(Device makers and health care providers) need to establish and adopt best practices for cyber hygiene,” she says. And they have to develop the appropriate IT infrastructure to advance security.

A process for disclosing vulnerabilities is essential, Dr. Schwartz says.

Dr. Schwartz cites the handling of a vulnerability discovered in 2016 in the OneTouch Ping insulin pumps made by Johnson & Johnson as an example of how things should be handled. Jay Radcliffe, a researcher with cybersecurity firm Rapid 7, discovered a way that a hacker could spoof communication between the pump and the remote control for it that could have the device giving unauthorized insulin injections to the patient.

The company quickly looked into it, and verified the vulnerability. It then reviewed the situation with the FDA. Johnson & Johnson alerted patients and gave them direction on protecting themselves.

“With coordinated communication comes a greater level of confidence from the public,” she says.

The Department of Health and Human Services submitted a report on cybersecurity to Congress in June. In August, Sen. Richard Blumenthal (D-Conn.) introduced the Medical Device Cybersecurity Act of 2017. The bill would:

• Create a “cyber report card” for medical devices.
• Mandate testing before going on the market.
• Require that cybersecurity updates and patches remain free and do not require recertification by the FDA.
• Put cybersecurity of medical devices under the jurisdiction of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
• Strengthen protections for remote access for devices both in and out of health care facilities.

For Further Discussion