Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.
He鈥檚 also a diabetic, and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.
鈥淚鈥檇 rather stab myself six times a day with a needle and syringe,鈥 Radcliffe recently told security experts meeting near Washington, D.C. 鈥淎t this point, those devices are not up to standard.鈥
Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors and scanners is growing as health care facilities increasingly rely on devices that connect with each other, with hospital medical record systems and 鈥攄irectly or not 鈥 with the Internet.
Radcliffe made headlines in 2011 by showing a hackers鈥 convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.
While there have been no confirmed reports of cyber criminals聽 gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to . Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.
鈥淭he good news is, we haven鈥檛 seen actual active threats or deliberate attempts against medical devices yet,鈥 said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.
The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital鈥檚 data system 鈥 especially if the devices haven鈥檛 been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.
In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.
鈥淭here are not that many bad鈥uys whose goal in life is to go and randomly mess with patients in hospitals,鈥 Hoyme said. 鈥淭hey want money, not to shut off the ventilator of a particular patient.鈥
Hospitals are targets because they collect so much data, from patients鈥 Social Security numbers and financial information, to diagnosis codes and health insurance policy numbers.
Radcliffe estimates that medical identity information is worth 10 times more than credit card information 鈥攁bout $5 to $10 per record on the black market compared to 50 cents per account for credit card information.
Crooks can use it to apply for credit, file fake claims with insurers or buy drugs and medical equipment that can be resold.
And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.
New FDA Guidelines
Yet there are few cybersecurity standards for medical devices.
In October, developers should bake into their products when seeking approval for a new device.
The guidelines, which aren鈥檛 binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.
They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.
While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.
Nonetheless, the FDA鈥檚 guidance has, in effect, changed the conversation among device makers from, 鈥溾楧o I believe this is a real threat?鈥 to 鈥榃hat do I have to do to satisfy the FDA?鈥欌 said Hoyme.
By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.
Common Vulnerabilities
One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won鈥檛 be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it鈥檚 easily accessible to medical staff in an emergency.
Hackers can also get into some inadequately protected hospital systems when staff members click on links in聽emails, not knowing they contain malicious code.聽Once transmitted to a hospital鈥檚 intranet, that malware聽could聽find its way into聽unprotected聽device software聽and聽cause malfunctions, said Hoyme and Fu.
鈥淚f cyber criminals decide they can hack into a device to get health records, they won鈥檛 think about whether they鈥檙e messing with device performance: They鈥檙e going after the money,鈥 Hoyme said.
Security experts聽warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.
鈥淚f your iPhone is compromised, it鈥檚 a lot more straightforward for someone to determine if it鈥檚 been tampered with. We鈥檙e not there yet” with medical devices, said Billy Rios, a former Google software engineer turned security consultant.
He describes how he was able to buy a secondhand EKG machine, used to measure the heart鈥檚 electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.
鈥淭he effort required is so much lower,鈥 he says. 鈥淭hat鈥檚 not a good position to be in.鈥
What Hospitals Are Doing
Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.
In a two-year test of information security, experts working for Essentia, a large Midwestern health system. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks and that medical records could be changed.
Stephen Curran, acting director of the Division of Resilience and Infrastructure Coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity. 聽But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including 鈥渞outine backups and patching of the systems and the use of anti-virus firewalls.鈥
Still, while 鈥渨e definitely see a trend in hospitals to improve their security,鈥 says Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.
鈥淭he bigger issue is that vendors are not held accountable for writing insecure code,鈥 says researcher Rios. 鈥淭here鈥檚 no incentive…so they don鈥檛 invest.鈥
Pressure On Vendors
A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.
At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital’s security team, headed by Lessley Stoltenberg, chief information security officer.
He says device makers also will have to meet a slew of security requirements: Can the device be encrypted? 聽Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?
Some companies, like Ahmadi鈥檚 Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.
While Codenomicon has a number of device makers as customers, those are a fraction of the in the U.S., some of which may not be doing even the most basic testing. Most vendors are small 鈥 80 percent have fewer than 50 employees 鈥 and many are startups without the capital to invest in a security expert.
So, could hackers target infusion pumps or ventilators?
“Is it possible?鈥 Stoltenberg mused. 鈥淵es. Is it likely? No.聽 No device in the world is absolutely 100 percent secure.鈥
