Security flaws in medical devices that transmit health data on a screen or between patients and physicians could potentially expose consumers to physical harm if hackers gain remote control of the software, according to a new report that urges improved federal monitoring of therapies that rely on wireless connectivity.
The current surveillance system used by the Food and Drug Administration to track faulty devices such as pacemakers, insulin pumps, defibrillators, and respiratory aides is designed to capture mechanical and software problems, including leaks, contamination, mislabeled shelf life, battery failure, and computer viruses. But it does not flag malfunctions related to web-connected medical sensors and wireless storage of patient data, the study says.
“A growing list of confirmed cybersecurity vulnerabilities in medical devices pose challenging risks to patients whose privacy or disease management depends on the proper functioning of devices,” the researchers, of Harvard Medical School’s Beth Israel Deaconess Medical Center and the University of Massachusetts at Amherst computer science department, write.
They say the findings that lead to this conclusion are theoretical, meaning that to date there are no known cases of malicious attacks on medical devices that have resulted in physical harm. Instead, the most common cause for recalls is due to manufacturers using the Internet to send software updates that may inadvertently contain computer viruses.
The data are troubling because they reveal the federal post-market surveillance system is unprepared to respond in a timely manner to cyber security threats in health care. Last month it was Google, not the FDA, that shut down the website of CareFusion Inc., a medical devicemaker, after it discovered that updates streamed to the company’s respiratory products contained both Trojan horses and malware. The infection was caught by Kevin Fu, a security expert at UMass and one of the study’s authors.
In another instance, a computer virus that infected catheters in a lab run by the Department of Veterans’ Affairs required that the machines be turned off and patients transported to a different hospital that could continue their care.
And in yet another case, it took the FDA nine months to process a report of faulty software in an automated external defibrillator. The time it would have taken a malicious hacker to exploit the flaw can be measured in hours, the report notes.
“If an event were to occur — such as failure to update properly or deliberate interference with a software update — the current classification of ‘product problems’ might not categorize these events clearly,” the researchers note.
Why would anyone want to hack into a medical device, anyway?
I put the question to Jerome Radcliffe, a security researcher and Type 1 diabetic who famously jammed his own insulin pump during a Black Hat security conference presentation last year in order to demonstrate the system’s vulnerabilities.
“Fifteen years ago, people asked who would ever want to break into a computer. Now it happens every second of every day,” he said in a telephone interview. “We see situations where computer systems and accounts are taken hostage in blackmail scenarios. I think that can happen in a hospital.”
Radcliffe, who directs the Smart Device Threat Center knowledgebase at Mocana, a cybersecurity firm, noted most hackers would need certain identifying information, such as a source code or a unique registration number, in order to remotely commandeer a medical device. But it is possible to do so without having any additional knowledge about the user, he said.
“Medical devices operate on many different levels, and certainly someone with the proper equipment and a backpack roaming around a hospital would be able to do it. People walk into hospitals every day and [a hacker] could easily say, ‘Hey, I’m going to visit a patient on such and such floor.’”
In this hypothetical scenario, wireless tampering with hospital equipment that delivers intravenous drugs or regulates breathing for patients could mean everything.
Yet, the researchers’ review of nine years worth of FDA databases, including enforcement reports, device recalls, and adverse event reports, showed only one report tied to the search term “security” while “privacy” was not associated with any adverse events.
In addition, of the 1,845 recalls issued between 2009 and 2011, 33% included computer malfunctions, but only 1.9% were due to storing patient data and 1.7% due to wireless communication.
One of the reports, for a 2010 nationwide Class I recall of infusion pumps by Baxter Healthcare Corp., read: “Under certain wireless network conditions a communication error can occur, which freezes the PC Unit screen, which may result in a delay of therapy. A delay of therapy may result in serious injury and/or death.”
Radcliffe says security concerns are increasing not just in health care, but across the banking and hospitality industries as well, where product developers have to be extra careful with everything that uses a computer chip.
“It’s really kind of a scary time in the tech world. But this is something new,” he says of medical device hacking. Getting someone’s identity or credit card number stolen is unpleasant, but it can be fixed without physical harm to the owner. But gaining control of one’s insulin supply, breathing, or heart rhythm?
“This is one of the first instances where you jump out of the virtual world and into the physical.”