Hacking of Medical Devices

In a 2014 Reuters article (U.S. Government Probes Medical Devices for Possible Cyber Flaws) it was reported that the US Department of Homeland Security began investigating cybersecurity flaws in medical devices and hospital equipment in 2012. The agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) will not disclose what specific devices but a senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment.

The FDA has stated the following:

Medical devices, like all computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.

To mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

The demand for medical data continues to grow in the hacking community and millions of records from insurance companies like Anthem and Premera have been breached in recent months.

While hospitals have worked hard to lock down access to their systems, they have very little control over the medical devices that are connected to their network. The manufacturers of these devices are starting to work on fixes for these vulnerabilities but this is a slow process.

Some of the systems identified as major culprits are Picture Archive & Communications Systems (PACS), x-ray equipment, and blood-gas analyzers, along with some diagnostic equipment such as PET scanners, CT scanners, and MRI machines.

The primary problem is that most medical devices were not designed to detect the malware delivered by a cyberattack and most hospital cyber-security systems do not have access to the internal software operations of the medical devices. If these devices are not effectively isolated from the hospital’s network it creates a significant vulnerability.

The American Hospital Association (AHA) has issued the following statement to its members:

Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation.  While there are significant benefits for care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases for clinical, financial and administrative operations, networked technology and greater connectivity also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage new risks. Hospitals can prepare and manage such risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework.  Hospitals also will want to ensure that the approach they adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.

The FDA is recommending that steps are taken to evaluate network security and protect the hospital system. In evaluating network security, hospitals and health care facilities should consider:

• Restricting unauthorized access to the network and networked medical devices.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Monitoring network activity for unauthorized use.
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
• Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
• Developing and evaluating strategies to maintain critical functionality during adverse conditions.

For additional information please see:

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm

http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm