Med device security flaws threaten patient safety
Cyber security vulnerabilities from hospital networked medical devices are putting not only protected health information at risk but also patient safety, according to a two-year investigation which found rampant security flaws at a dozen U.S. healthcare facilities.
Independent Security Evaluators, a firm based in Baltimore, conducted the assessment of 12 hospitals around the country and discovered that all of them had very serious security issues that potentially could enable hackers to easily deploy remote attacks targeting and compromising patient health.
In its 71-page report, the firm concluded that its “greatest fear” is that patient health—not information—remains extremely vulnerable.
The research examines a multitude of devices and applications, including a variety of electronic health records systems, both those developed in-house developed as well as commercially available. Results suggest that medical devices are often overlooked for security, compared with the efforts made to ensure the security and privacy of personal health information (PHI) in EHRs and health networks. That lack of attention is posing a growing and direct threat to patient safety.
“The industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective,” states the report. “We find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.”
Ted Harrington, executive partner at Independent Security Evaluators, believes that patient health is the most important asset healthcare organizations are tasked with protecting. Nonetheless, he argues that primary, secondary, and tertiary attack surfaces at hospitals—which have little value related to PHO or personally identifiable information—are being largely left unprotected, exposing patient health at these facilities to dangerous cyber threats.
“The industry is focused on protecting the wrong asset,” contends Harrington. “A directive of healthcare is to improve the outcome for patients who come through the door and to make sure that they don’t actually get worse for having received care.”
Although the firm did not disclose the names of the hospitals it investigated, the locations of the targeted medical facilities were: Athens, Ga.; Austin, Texas; Baltimore; Bonita Springs, Fla.; Cape Girardeau, Mo.; Columbia, Mo.; Joplin, Mo.; Naples, Fla.; Salt Lake City; Savannah, Ga.; Towson, Md.; and Washington, D.C.
“We looked at systems from a very hands-on way through direct involvement with healthcare organizations that were willing participants, so we actually had access to hospital environments and medical devices, investigating whether or not certain vulnerabilities could be exploited in a controlled setting without harming or killing patients,” says Harrington. “Nevertheless, we were able to go ahead and prove that could happen with connected medical devices, especially ones that have life-sustaining functionality.”
He asserts that networked medical devices have inherent risks related to potential cyber security threats, including the introduction of malware into medical equipment and unauthorized access to configuration settings on devices and hospital networks.
Findings of the investigation, conducted from January 2014 through January 2016, matches recent warnings from the federal government. In July 2015, the Food and Drug Administration alerted users of a computerized infusion pump—which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures—that it has serious cyber security vulnerabilities that could put patient safety at risk. As a result, the FDA advised healthcare facilities to disconnect the pumps from their networks to reduce the risk of unauthorized system access.
And in September 2015, the Federal Bureau of Investigation issued an alert warning about the cyber security risks that networked medical devices pose to patients. According to the FBI, Internet of Things (IoT) devices—which connect to the web automatically sending or receiving data including medical devices such as wireless heart monitors and insulin dispensers—pose a potential threat to patient health as hackers could change the coding controlling the dispensing of medicines.
“There are a pervasive set of security vulnerabilities at hospitals that can impact patient health,” Harrington concludes. “These security flaws are the result of systemic business failures. Organizations have the wrong priority. What it requires is a changing mindset in which organizations are no longer focused on just protecting patient data but patient health.”
In addition, he blames medical device manufacturers who are not “adhering to the principles of secured design when they are building their products,” adding that “security flaws are pervasive across the entire industry”—a problem that will continue to grow as hospitals increasingly adopt connected medical devices. At the same time, Harrington faults regulatory agencies and Congress for not making it a legal requirement to ensure that manufacturers develop secure products.