Why Medtech's Cybersecurity Problem Is Really Bad

A new report gives healthcare systems a failing grade on medical device cybersecurity, warns of consequences to patients and industry. 

Varun Saxena

Hospitals are "hyper-focused" on protecting patient data from hackers, but are inadequately protecting patient health from cyberattacks on medical devices, says a report from Baltimore-based security firm Independent Security Evaluators.

The incidence of crippling ransomware attacks in Los Angeles and across the country demonstrates the need for devicemakers and providers to put patient safety ahead of patient privacy. Independent Security Evaluators evaluated 12 healthcare facilities and two active medical devices from one manufacturer over two years.

"The findings show an industry in turmoil: lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership, and a misguided reliance upon compliance. These findings illustrate our greatest fear: patient health remains extremely vulnerable," the firm concluded.

For instance, the firm used an "authenticated bypass" attack to gain access to a patient monitor. The security evaluators were able to instruct it to perform a variety of disruptive tasks, such as sounding false alarms and displaying incorrect vital signs. They were also able to disable the alarm altogether.

The attack scenario is "harrowing," the report says: "Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome."

The report also documents instances in which the security evaluators had uninterrupted private physical access to devices for more than an hour, such as Philips' IntelliVue patient monitor. The scenario demonstrates the need for devicemakers to secure their devices from non-remote intrudes, as well as those who operate from afar.

Even automated supply cabinets made by CareFusion are vulnerable, other researchers have found.

As for patient privacy, well, despite all the energy spent, it isn't well-protected either. HIPAA has "created a system of confusion, fear, and busy work that has cost the industry billions of dollars," according to the firm. Moreover, the security evaluators note that comprised electronic health records can be leveraged to create a situation that could harm or kill a patient.

In case the threat of dead patients is not enough, the feds have become more vigilant on the cybersecurity front. Last year, the FDA for the first time instructed hospitals to stop using a device due to poor cybersecurity.

Hospira's Symbiq Infusion Systemis remotely accessible by nefarious actors who could "change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the agency said.

The report says that hospitals are especially unprepared for a targeted attack against an individual. Given the repeated demonstrations that the endeavor is possible, medical device cybersecurity experts like the University of Michigan's Kevin Fu believe that a malicious cyberattack against a pre-selected individual is inevitable. 

Such an attack would certainly generate a lot of negative attention, and could lead to mistrust and fear of medical devices (and hospitalization) among patients. Pointing to the sudden drop in childhood immunization rates, the report notes that the phenomenon has already occurred in healthcare.

Independent Security Evaluators writes that "if similar widespread loss of confidence were to afflict the healthcare industry, such as the community refusing to seek treatment due to fear of harm (justified or not), it would be extremely detrimental to our health, safety, and economy."

Varun Saxena is a contributor to Qmed.

Like what you're reading? Subscribe to our daily e-newsletter.