For years, two researchers, Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions, studied medical devices. They tinkered with critical gadgets like pacemakers and insulin pumps, testing them to see whether they contained any cybersecurity weaknesses.
What they found was deeply disturbing: these devices, essential for keeping patients alive, were highly vulnerable to hackers. For example, Rios and Butts claimed that it was possible for a hacker to send a wireless signal to an insulin pump, telling the device to deliver the wrong amount of medicine. They also found vulnerabilities in a Medtronic pacemaker that could allow a hacker to remotely reprogram the device — potentially modifying a patient’s heart rhythms in a way that could hurt, or even kill, them.
Rios and Butts believed the pacemaker vulnerability was so serious that Medtronic would want to patch it immediately. They sent the company a report detailing their findings. But Medtronic dismissed their concerns as overblown, claiming that these kinds of hacks were inconceivable.
Undeterred, Rios and Butts decided to demonstrate the vulnerabilities themselves, in the most public way possible. During a dramatic presentation last year at Black Hat USA, the world’s leading information security conference, Rios and Butts asked all attendees with implanted medical devices to leave the room. They then showed two methods of compromising Medtronic’s CareLink 2090, which doctors use to program pacemakers — allowing hackers to issue, or deny, a life-saving shock.
Rios and Butts got a standing ovation — not only winning the attention of their audience, but also the U.S. Food and Drug Administration (FDA).
Hacking Your Health
To be fair, Medtronic is not the only company whose medical devices contain glaring glitches. The problem is systemic throughout the medical device industry. As Rios and Butts told CBS News, “We’ve yet to find a device that we’ve looked at that we haven’t been able to hack.”
What makes medical devices so vulnerable to cyberattacks? Simply put: they are computers, and all computers can potentially be breached. These high-tech, modern medical devices are often running antiquated, legacy software — making them particularly susceptible to hackers.
In many ways, medical device cybersecurity is just one part of a broader problem: the ever-expanding attack surface. A growing number of gadgets are being connected to the Internet. Collectively, this burgeoning constellation of connected devices is known as the “Internet of Things” (IoT). The IoT universe now includes many medical devices, such as pacemakers, insulin pumps, etc.
Hospitals, in particular, have an enormous number of IoT medical devices. In the United States, there are 10 to 15 connected medical devices per hospital bed. The largest hospitals, such as New York Presbyterian, have more than 2,000 beds. This means that these organizations have tens of thousands of devices, most of them networked. Protecting an attack surface this large is the kind of challenge liable to give any hospital CISO a heart attack.
The FDA Fight Against Cyber Threats
After years of security researchers sounding the alarm about cyber vulnerabilities in medical devices, the FDA has finally taken notice. Last October, the FDA released a set of recommendations for device manufacturers on incorporating cybersecurity best practices into their devices before entering the market. The report, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, updates FDA guidance last issued in 2014. The new guidance covers a number of different aspects of medical device cybersecurity — including general principles and risk assessment, how to design a trustworthy device using the NIST Cybersecurity Framework, labeling recommendations for devices with cyber risks, cybersecurity documentation procedures, and how to implement existing cybersecurity standards for devices. The ultimate goal is to reduce the risk of patient harm by addressing cyber vulnerabilities during the design and development of medical devices.
The current guidance is just a draft, and the recommendations are non-binding. The FDA is accepting comments on the draft guidance until March 18. That’s under two weeks from today — so if you’re going to submit comments, do it ASAP! They can be submitted online or by mail to Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 18 Fishers Lane, rm. 1061, Rockville, MD 20852.
Neither government officials nor security experts have yet to identify any incidents in which a hacker has harmed a patient through a medical device. But just because it hasn’t happened in the past doesn’t mean it won’t happen in the future. And your business certainly doesn’t want to have the brand busting distinction of being the first medical device company to have their devices breached. That’s a surefire formula for nasty news headlines, and big hits to your bottom line.
Where You Can Take Action
CyberVista offers comprehensive cyber risk training for executive leadership and board members to better quantify risk and embed sustainable cyber risk management. For dedicated health IT and cybersecurity staff we have launched the latest online comprehensive course for the specialized healthcare cybersecurity credential, HCISPP certification from (ISC)2, and developing a cybersecurity training course for healthcare professionals.