Modern medical devices are increasingly at risk of malicious manipulation by hackers. Professor Boaz Ganor, the founder/executive director of the International Institute for Counter-Terrorism, and Dr Miri Halperin Wernli, Actelion Pharmaceuticals’ deputy head of global clinical development, uncover the susceptibility of the industry to cyber-threats, and how OEMs can best protect themselves and their patients.
When diabetic computer network security expert Jay Radcliffe realised that his wireless insulin pump could be hacked and controlled, he woke the medical device industry up to a potentially catastrophic problem.
The $228-billion business is on track to surpass worldwide sales of medicines by 2018, its rapid growth a result of the extent to which it improves and extends lives in ways unknown a generation ago. Like so many areas of business, government and academia, however, the industry is highly vulnerable to hacking and terrorism.
Software is essential to modern medical technology. It enables wireless monitoring and remote reprogramming, connects equipment to clinical personnel, and facilitates device-to-device communication, as well as performing countless administrative functions.
Accidents and emergencies
Every modern hospital has a forest of computers classified as medical devices. These often operate with software long past expiry and without antivirus protection. Many are further compromised with embedded malware, inadvertently placed years ago by vendors.
These issues have become a headache. Patient health, hospital system security and patient privacy are big concerns, but lurking in the minds of those in the know are other issues dealing with intellectual property theft, regulatory violation and the loss of valuable proprietary information assets.
In 2013, FDA issued a warning for hospitals to close security gaps in their computers, smartphones and tablets. The warning placed a spotlight on the widespread inattention to timely security software updates, ongoing use of aging operating systems, such as Windows XP, and the persistent and ubiquitous issue of inadequate password control.
Last year, the agency convened a meeting for government, industry, and academic experts to weigh in on the issues. Concerns were shared, but little was offered in the way of practical solutions.
Software-reliant medical devices fall into three categories: peripherals, independent and networked. Independent and networked devices, including implantable medical devices (IMDs), are most subject to hacking. The route to this unwanted interference is the wireless technology used to control how devices function and connect to other devices and programmes, including EMRs and billing software. Code complicates matters: a pacemaker is programmed with up to 80,000 lines, while a drug infusion pump has as many as 170,000.
IMDs are improving millions of lives. More than half of those in the US are designed and operated using computational software, including transmission of information via radio waves, and more are on their way. Analysts following global pacemaker sales anticipate a $5.1-billion market in three years; ICD sales are expected to reach $10.5 billion in 2015.
Hockey-stick growth is also anticipated for sales of drug pumps and neurostimulators, and the merging of nanotechnology with IMDs will enable a new generation of miniaturised wireless devices to enter our bodies. Think about smart pills, brain implants, subcutaneous sensors and ‘smart’ orthodontia.
Inadvertently, the device industry has created a disaster waiting to happen. There is ample precedent. In 2010, web security giant McAfee issued an automatic software update that malfunctioned. Suddenly, health information technology devices around the globe were unavailable. Half of the 6,000 computers in Upstate University Hospital (Syracuse, NY) were affected; one third of Rhode Island’s hospitals postponed elective surgeries and were forced to suspend treatment of non-traumatic ER patients.
Lives are being lost as a result of malfunctioning devices. Between 2005 and 2010, the FDA recorded more than 700 deaths from infusion pump issues, many of which were linked to incorrect entry of data dosage and software malfunctions. In an example cited by the agency, defective software that doubled a keystroke caused 22 units, rather than two, to be dispensed. According to media reports, agency officials thought the death rate was considerably higher.
In another, possibly unrelated example, programming problems with an infusion pump caused a bolus to be delivered in 20 minutes, rather than the intended 20 hours.
The two main risks associated with malware are widespread unavailability of patient care (for example, a hospital in which large numbers of infusion pumps stop working simultaneously) and poor clinical decisions resulting from inaccurate data transmitted by compromised medical sensors.
Malware issues are problematic but, ultimately, manageable. Monitoring power consumption – changes in power consumption may indicate the presence of malware – is a possible indicator, and is worthy of exploration.
The bigger issue is malicious attack, and the number and intensity of hacking incidents is growing. Large-scale theft of personal data from financial institutions and big-box stores represent one level of this problem, cyberpilfering of intellectual property is another. The attack on Sony in late 2014 (linked to North Korea) was a blatant display of how hackers saw the internet as their oyster.
The lack of security and the potential to wreak havoc make the medical device industry an easy target for criminal hackers seeking personal health and financial information, or those just hell-bent on causing harm.
If mere malice seems an unlikely motivation, consider the assault seven years ago on epilepsy patients with migraine seizures, where flashing animations were added to the Epilepsy Foundation website. Given the opportunity, there are those who will exploit it to inflict harm.
Three categories of malicious attack
The different forms of malicious attacks on devices can be placed into three categories. The first is an insider attacks, in which device programmers – compact machines used to configure programmable digital circuits – are used to access protected information. Device programmers are not recorded in any registry, therefore their numbers are unknown. Complicating their lack of security is the fact that, typically, they have few access controls and no password protection. Someone on the inside can easily ‘misplace’ a device programmer or, as already demonstrated, construct one using inexpensive and easily available materials. In the hands of a disgruntled employee, or one with an aggressive political agenda, device programmers could be used to steal, or otherwise inflict harm.
In passive outside attacks, meanwhile, the hacker eavesdrops on patient information. Device-stored patient data generally is not encrypted, making it potentially available to people who shouldn’t have access. This possibility was made clear by a group of researchers who wirelessly tapped into medical records.
The final category is active outside attacks. In these, hackers capture patient vital signs, drain device power, turn off or change therapies, and/or negatively affect the patient’s physiology. Computer scientists already have demonstrated how radio hardware, antennae and a PC can be employed to wirelessly shut down an implantable cardiac defibrillator and reprogram it to deliver potentially lethal shocks or empty its battery.
Unfortunately, disruption of medical treatment is anticipated to join bombings, poisonings, sabotage and other forms of violence in the terrorist’s arsenal. It is no great leap, after all, from attacking the websites of western news and human rights organisations to infiltrating unguarded healthcare infrastructures.
When it occurs, it may follow one of the patterns etched miserably into the collective consciousness. It may be in the form of organised terrorism, planned and carried out by an organisation or rogue government, or the work of a radicalised ‘lone wolf’ who is already inside the system. Too many have already done damage, including the US Army physician at Fort Hood, who might have murdered more people, had he chosen death by medical device, instead of by gun.
However it happens, an attack using medical devices will be well reported by the news media, peeling away another layer of communal security and altering how we conduct our lives.
What can be done?
Managing the risk requires collective will and cooperation. Regulators have taken some action: Congress investigated the issue and in 2012, the Government Accountability Office (GAO) reported the lack of investigation by US agencies into security and connectivity. Last October, meanwhile, FDA confirmed earlier guidance that device manufacturers should tighten security and improve cybersecurity and risk management planning.
Part of the problem is that FDA and EMA, in keeping with their culture of concern for the safety of medicines, are oriented to how devices are supposed to perform for clinical benefit. They look at how devices function within their normal context; not how they might be used inappropriately to cause harm.
The agencies are not set up to research security issues associated with software and connectivity. Acknowledging these limitations, the FDA should proactively facilitate discussions among manufacturers, academics, regulators and other government parties and, where appropriate, patient advocates.
There is a direct correlation between device risk and device complexity, especially the complexities involving operating systems, software and wireless networking. Individual devices have been vulnerable to malicious tampering for some time.
Highly networked devices serve as a force multiplier of risk. Standard industry metrics focus on safety and efficacy. Given real security issues described in this article, the medical device manufacturing industry should augment those metrics in order to accommodate privacy and security.
Technology changes have occurred relatively quickly. The medical device industry needs to catch up with systemic improvements that will protect its societal and financial value. In the words of MIT computer science professor Howard E Shrobe, "Patch and pray is not a strategic answer."