Fans of the TV show Homeland will remember watching the character portraying the Vice President die during the 2012 season due to hackers remotely disabling his pacemaker. According to one report, 1 former Vice President Dick Cheney was the inspiration for this episode when he revealed during an interview that he had his implantable heart device’s Bluetooth capabilities disabled to prevent possible hacking attempts during his tenure in office. 2
This Hollywood dramatization has now slowly become a new reality in the healthcare industry. In the attempts to increase interoperability and the efficiency of the flow of patient health information, medical device security has not always been a top priority for manufacturers and vendors. Medical devices connected to the internet that can send and receive data pose significant risks in being hacked by unauthorized users and potentially compromising patient care. 3 While there aren’t any known instances of a patient’s medical device being hacked, medical devices that possess the highest cybersecurity vulnerabilities include infusion pumps, implantable cardiovascular defibrillators (ICDs) and CT scans. These devices are vulnerable because they possess web administration interfaces that are not password protected or have weak passwords that are easy to crack. This article seeks to examine the recent concerns of cybersecurity vulnerabilities in medical devices.
Government Ramps Up Efforts on Cybersecurity
In a response to an Executive Order issued by President Obama, 4 the National Institute of Standards and Technology (NIST) 5 released a voluntary framework for improving critical infrastructure cybersecurity along with a roadmap for future work in February 2014 (the Framework). 6 While the Framework is not binding, healthcare organizations are encouraged to adopt the measures set therein. The Framework was intended as a guideline for organizations to assess their cybersecurity measures and use it as a benchmark to improve upon their current cybersecurity program or help those organizations create a cybersecurity plan if not already in place. The Framework is composed of three parts: the Framework Core, Profiles, and Implementation Tiers. The Core presents activities that are calculated to anticipate and defend against any attacks. The Profiles, used in conjunction with the Core, allow organizations to identify areas of improvement by performing self-assessments, comparing a “Current Profile” of their current cybersecurity program against a “Target Profile” of their goal state, i.e. what the organizations would like to achieve with their cybersecurity program. The Implementation Tiers include a set of measurements that helps organizations identify gaps in their cybersecurity programs and how prepared they are to protect their network against a cyber attack. 7
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also revealed last year that it is investigating about 24 cases of cybersecurity vulnerabilities in a wide range of medical equipment, from medical imaging devices to hospital networking systems. The investigations began a couple of years ago, stemming from growing fears that hackers were developing capabilities to exploit security flaws in medical devices because of a growing number of them contain wireless technology and internet connectivity. Unnamed officials from ICS-CERT disclosed that some of the products under review included Hospira Symbiq infusion pumps and Medtronic’s implantable heart devices. 8 ICS-CERT is working with these manufacturers to help them identify and repair these security flaws.
The Food and Drug Administration (FDA) has also increased its focus on cybersecurity by partnering with the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), 9 an organization that seeks to advance healthcare cybersecurity resilience. The goal of the partnership is to create a foundation of information sharing regarding cybersecurity vulnerabilities and a risk assessment framework to assess and mitigate cybersecurity risks. 10 In October 2014, the FDA held an open workshop that brought together a broad range of healthcare organizations, from medical device manufacturers to professional and trade organizations, to analyze collaborative approaches to medical device and healthcare cybersecurity. The workshop was intended to identify barriers and challenges to promoting medical device cybersecurity and help participants develop tools and standards for building a comprehensive cybersecurity program.
User Beware: FDA Issues Warning
In July 2015, the FDA issued a warning to the public regarding the security risks associated with the use of Hospira’s Symbiq infusion pumps. 11 The FDA advised hospitals to cease operating Hospira Inc.’s Symbiq infusion system, which is a computerized pump used by hospitals, nursing homes and other healthcare facilities designed to continuously deliver general infusion therapy. The problem with the infusion pumps lies in the potential remote access of the pump by an unauthorized user who could tamper with the dosage, causing serious health risks to patients. Hospira has confirmed that the Symbiq infusion system can be accessed remotely through a hospital’s network. 12 The FDA emphasized that it is currently unaware of any adverse events or unauthorized access of the infusion pump in a healthcare setting. The FDA strongly urged healthcare organizations to follow the cybersecurity best practices outline in the FDA Safety Communication “Cybersecurity for Medical Devices and Hospital Networks” released in 2013. The FDA Safety Communication provides recommended actions for device manufacturers and healthcare facilities. In evaluating medical devices, manufacturers are advised to take steps to limit unauthorized device access to trusted users only; protect individual device components from exploitation; use design approaches that maintain a device’s critical functionality; and provide methods for retention and recovery after an incident where security has been compromised. 13 The FDA recommended that healthcare facilities evaluate their network security and encourages them to restrict unauthorized access to the network while also monitoring activity for unauthorized use; update appropriate antivirus software and firewalls; and develop strategies to maintain critical functionality during adverse events.
FBI Warning: IoT Poses Risks
The Federal Bureau of Investigation (FBI) is the latest government agency to release a warning on the security surrounding connected devices, issuing a public service announcement in September 2015. 14 The FBI's Internet Crime Complaint Center (IC3) warned that as the Internet of Things (IoT) 15 creates more efficiencies and conveniences in everyday life, this connection can also enhance the risks of being hacked by cybercriminals. The FBI listed a myriad of devices that possess some vulnerability, including the usual medical device suspects, such as wireless heart monitors and insulin dispensers, as well as wearables such as fitness devices. Deficient security measures, patching challenges and a lack of security awareness have provided cybercriminals opportunities to remotely attack these devices. There are a number of ways cybercriminals can exploit these vulnerabilities by sending malicious and spam emails, stealing personal information or interfering with physical safety. The FBI provided a list of recommendations to consumers, some of which includes: 1) isolating IoT devices on their own protected networks; 2) purchasing IoT devices from manufacturers with a track record of providing secure devices; 3) updating devices with security patches when available; and 4) using strong passwords.
Telesurgery: A Risky Frontier?
With significant advances in medical devices and the expansion of telehealth services, telesurgery has emerged as a potential solution in geographical areas that lack trained surgeons. Telesurgery allows a surgeon in one location to control a robot in a second location where that robot will physically perform the surgery on the patient. While the first telesurgical operation occurred in 2001, there are still many unresolved security issues involving this cutting edge technology, as researchers at the University of Washington demonstrated during an experiment conducted in April 2015. 16 The researchers set out to explore some of the security pitfalls of this technology by hacking a teleoperated surgical robot, the Raven II. The Raven II utilizes a single PC, running software based on open standards that communicates with a control console using the Interoperable Telesurgery Protocol, 17 a standard communications protocol for remote surgery. Their experiment demonstrated three different types of attacks that make telesurgery vulnerable with this robot. The first attack intercepted the commands sent by the operator to the robot by removing or reordering the commands. The second attack modified the intention of signals from the operator to the robotic arm by changing the robotic arm movements. During the last attack, the researchers took complete control over the robot by hijacking the procedure. This was made easy by the Interoperable Telesurgery Protocol, which is publicly available, allowing hackers to alter the signals. These communications took place over public networks that anyone could potentially have accessed. Open communications networks are easy targets for hackers to jam, disrupt or hijack signals being sent to the robot.
Each attack had an immediate impact on the robot, making it difficult to control and carry out the operation. Some of these signal attacks prevented the robot from ever being properly reset, which made the surgical procedures impossible to perform.
Additionally, the researchers discovered a significant privacy issue with the video connection since it was publicly available, potentially allowing anyone to watch the operation in real time. While organizations are encouraged to use encryption measures between the control console and the robot to mitigate attacks, these efforts aren’t foolproof because a hacker can still intercept the signals. The experiment wasn’t intended to discourage the development of telesurgery but to demonstrate the security and privacy concerns as this cutting edge technology continues to evolve.
Improving Medical Device Safety
Hospitals have largely been unaware of these unseen dangers but are slowly waking to this new reality. Medical devices have historically been regulated for effectiveness and safety and not for security purposes. This is due in part because the FDA does not require a security assessment during the pre-market submission process and many vendors have not implemented security programs for their devices. The FDA did issue a final guidance last year on premarket submissions related to cybersecurity for the healthcare industry. 18 The guidance encouraged manufacturers to consider cybersecurity risks in the design and development of their devices. However, this guidance is not an enforceable regulation but only voluntary and non-binding.
There has also been some confusion regarding information sharing around cyberintelligence and the health sector’s need to understand what it includes. The Structured Threat Information eXpression (STIX) program led by the Department of Homeland Security (DHS) has been helpful in educating the healthcare sector by taking cyberintelligence and breaking it down into different constructs. STIX is an effort to establish a standardized and structured language to represent cyber threat information. 19 It would be helpful if DHS would replicate this framework for sharing medical device vulnerabilities and creating supporting mechanisms that increase information sharing to combat potential attacks.
It is critical to continue to improve the infrastructure around healthcare technology to align with patient safety. Hospitals and health systems need to take a proactive and pre-emptive approach to security. These systems should be investing in and developing a strong IT infrastructure with layered security and firewalls to deter hacking. Healthcare organizations are constantly being challenged to anticipate unintentional threats and potential vulnerabilities. Therefore, it is important that healthcare organizations remain vigilant in this area as they continue to develop comprehensive systems to mitigate security risks.
Ashley Thomas is an associate in the Indianapolis office of Hall, Render, Killian, Heath & Lyman. She practices in the area of healthcare law with a focus on hospital and health system matters, regulatory and compliance issues, corporate transactions and hospital/physician alignment. Ms. Thomas received her J.D from Vanderbilt University Law School and her B.A. in Political Science from Northwestern University. She may be reached at firstname.lastname@example.org.
Medical Device Cybersecurity: Maybe Dick Cheney Was Not So Paranoid After All, Drug & Device L. Blog (September 4, 2015, 8:00 AM), http://druganddevicelaw.blogspot.com/2015/09/medical-device-cybersecurity-maybe-dick.html.
Dan Kloeffler & Alexis Shaw, Dick Cheney Feared Assassination Via Medical Device Hacking: ‘I Was Aware of the Danger’, ABC News (Oct. 19, 2013), http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434.
FBI Alert, Internet of Things Poses Opportunities for Cyber Crime, (September 2015), available at http://www.ic3.gov/media/2015/150910.aspx.
President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity, on February 12, 2013.
NIST is non-regulatory agency of the U.S. Department of Commerce that promotes innovation and competitiveness by advancing technology in a way that enhances economic security. More information is available at http://www.nist.gov/.
NIST, Framework for Improving Critical Infrastructure Cybersecurity, (February 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
Jim Finkle, U.S. Government Probes Medical Devices For Possible Cyber Flaws, Reuters (Oct. 22, 2014), http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022.
NH-ISAC is the nationally recognized ISAC for the nation’s healthcare and public health critical infrastructure by the nation’s health sector, Department of Health and Human Services (HHS), US Department of Homeland Security, National Security Agency (NSA), FBI, and the National Council of ISACs (NCI Directorate). NH-ISAC is the primary communications channel for cybersecurity intelligence, information sharing, countermeasure solutions, incident response, leading practice and education. More information is available at http://www.nhisac.org/?page_id=5498#Q1.
“Memorandum of Understanding between the National Health Information Sharing & Analysis Center, Inc. and the U.S. Food & Drug Administration, Center for Devices and Radiological Health,” Aug. 26, 2014, No. 225-14-0019, http://www.fda.gov/AboutFDA/PartnershipsCollaborations/MemorandaofUnderstandingMOUs/OtherMOUs/ucm412565.htm.
FDA, Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication, (July 2015), http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm.
Supra note 10.
FDA, Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication, (June 2013), http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.
Supra note 3.
Internet of Things refers to any object or device which connects to the Internet to automatically send and/or receive data.
Security Experts Hack Teleoperated Surgical Robot, MIT Technology Review (April 24, 2015), http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot/.
King, H. Hawkeye et. al, Plugfest 2009: Global Interoperability in Telerobotics and Telemedicine, IEEE Int. Conf. on Robotics & Automation, (May 2010), http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3988879/.
FDA, Guidance for Industry and Food and Drug Administration Staff on Content of Premarket Submission for Management of Cybersecurity in Medical Devices (Oct. 2014), http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf.
US-CERT, Information Sharing Specifications for Cybersecurity, https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity.