As long as there have been opportunities, there have been opportunists looking to exploit them. The old-school con man has evolved into the modern hacker, and hacking has been through many different permutations in the last few decades.
From emails collecting identifying information in order to access money in a forgotten Prince’s bank account to identity theft collected through worm viruses to ransomware that demands payment in untraceable cybercurrency, tech developers must always consider hackers. It may not be possible to completely thwart attempts to gain control of various systems, but efforts must be made.
Right now, medical devices aren’t sufficiently protected
to ensure patient health or the safety of identifying information that is stored in hospitals and medical centers.Where is the biggest danger?
We often talk about the danger of wireless pacemakers and insulin pumps that communicate blood sugar levels to medical providers remotely. The concerns about these devices have been well documented; famously, Dick Cheney had the wireless features of his pacemaker disabled due to security concerns.
Individual patient items may be the most concerning: it’s possible for a hack to either cause a pacemaker to deliver a fatal shock, for example, or be reprogrammed to fail to deliver one when it is needed. Injection devices can be configured to administer too much or too little medicine, with disastrous results. But that’s not the biggest danger that medical providers and patients face.
Hospitals are full of outdated technology that is vulnerable to security breech. This puts HIPPA data at risk, but more importantly, puts patients’ lives at risk.Out of date medical equipment
While individual medical devices are concerning, hospitals are often using devices that are significantly out of date. The average patient has between 10 and 15 connected devices
at their bedside during a hospital admission. These devices may:
- Have a hardwired password, which cannot be modified, and which is easily found through a Google search,
- Run on an old operating system, such as Windows XP, which the manufacturer no longer supports, and which cannot be updated with modern security architecture,
- Accumulate bugs over time which cause more and more vulnerabilities, but be unable to accept patches.
And while these devices can be dangerous to patients themselves, the bigger concern is that they can be used as entry points to a medical center’s entire system. In 2017, 16 hospitals in the UK found themselves shut down after a ransomware attack by WannaCry
. Systems froze and files were encrypted, with a ransom for the password to undo the damage demanded in Bitcoin. The FBI’s unofficial recommendation to organizations affected in this way is to simply pay the ransom, as there are few ways to recover from an attack.
Attacks can potentially stem from any unprotected or insufficiently protected device. An old MRI machine, an out dated insulin pump, or a bedside monitor that can no longer support firmware updates can are all dangerous. When a hacker has access to a single computer on a LAN, they can ultimately access the entire network and cause damage anywhere they want.What is the solution?
Manufacturers are becoming aware of the dangers around these devices, and are beginning to make the types of hardware and software changes that allow for continuing support. This allows manufacturers to update firmware and software to prevent and fix risks as they are discovered.
The bigger problem, however, is convincing hospitals to update their hardware. Traditionally, hospitals buy one piece of equipment and use it until it breaks; only when it is unfixable is it replaced. This isn’t due to a lack of caring; hospitals tend to operate on very small margins, and may not have enough of a budget to upgrade hardware that is still technically working.
Some experts have suggested a trade-in program, such as the “Cash for Clunkers
” program that was implemented in 2009 to help get fuel inefficient cars off the roads. This could both help hospitals defer the cost of updating technology and help companies move inventory, benefiting both sides of the equation.
And of course, patients would benefit the most.
There are huge benefits to enhanced connectivity for medical devices. Doctors can remotely monitor pacemakers, for example, and get notified if the pacemaker’s activity signifies a worsening heart problem. Connected devices at bedside can help medical staff intervene in life threatening situations more quickly, improving outcomes.
When hospitals are shut down by ransomeware or other viruses, it’s rarely individual patient information they’re looking for. But while the hospital itself is compromised, doctors are often unable to access the most basic patient records. This can prevent medical care from being properly delivered. Scanning machines like MRIs have also been shut down, delaying appropriate treatments from being performed.
With medical devices as the most significant security threat to the general public, it’s important that the medical community act quickly to mitigate these risks. The FDA has shown willingness to act before there are fatalities, issuing recommendations that particular devices no longer be used by hospitals. But until hospitals are willing and able to update equipment, these attacks are likely to continue.