What cybersecurity threats are happening right now involving medical devices? In a word – malware. TrapX, a security company thoroughly examined three hospitals for the presence of malware. The results were astounding. They found malware in X-ray equipment, blood gas analyzers, CT scanners, and ventilators, as well as infusion pumps.
The interesting thing about this accumulation of malware is that it doesn’t appear that the hackers are specifically targeting medical devices, but rather just look for a “back door” into the hospital network. One way they find these back doors is through a search engine known as Shodan, a search engine for “things” as opposed to Google, a search engine of documents and information. Through Shodan things like traffic light control systems, web cams, nuclear power plants, and yes, medical devices from connected intravenous pumps to MRI machines. The scary thing is, it doesn’t take an experienced hacker to find these devices online, a simple 5 minute tutorial (found on youtube) can have anyone up and running.
So why are hackers so interested in hospital networks? Medical information. According to an article by Reuters, medical data is now worth ten times as much as a stolen credit card number. The hackers get the information and can create an ID to order medical equipment or drugs for resale and may even fraudulently bill insurance companies using a fake (or stolen) provider number. According to data from Health and Human Services analyzed by The Washington Post, data from more than 120 million people has been accessed in more than 1,100 different breaches since 2009. That is 1/3 of the US population. In addition to billing for fraudulent services, this report also details another risk where service is provided for another patient in the victim’s name, which may lead to erroneous medical information being entered into the record, blood type or allergies, for example, which is a potential life threatening error.
TARGET MEDICAL DEVICES
To get into hospital (and other medical) networks the weakest link, and therefore the most tempting targets, are medical devices. Why is this? Consider the differences in a computer server that runs the back end of a network in a hospital and an infusion pump connected to the network.
The hospital’s IT department can update or upgrade the software on the server as needed. They can purchase third party security software to protect against attacks on the network that are constantly updated with the latest information while the infusion pump is a turnkey device that likely runs an outdated operating system such as Windows XP or even Windows 2000, third party cyber defense software cannot be installed by the hospital and in most cases any updates to the firmware (or operating system) must be approved by the FDA which leads to a significant lag in the time between the time a threat is discovered and when it is fixed. This makes medical devices the most vulnerable attack vectors.
Bio:
Jeff Harris is a Pharmacist with over 25 years of leadership experience in hospital, retail, and home health environments. Due to a spinal cord injury, he is currently on long term disability. Jeff is passionate about patient safety, risk management and cybersecurity issues in healthcare. He continues to research and write about improving healthcare on a pro-bono basis.