By Emily Cox
McAfee researchers recently hacked into a central patient monitoring station for medical devices to demonstrate potential cybersecurity weaknesses.
The McAfee team performed the demonstration this past month at Defcon, a large annual hacker convention in Las Vegas, Nevada. Researchers simulated a patient whose heartbeat had flatlined to show how they could alter patient vital signs.
While researchers did not perform the demonstration remotely, they warned that it could be done from great distances as long as the hospital’s system is connected to the internet.
The team highlighted the security weakness just ahead of the new McAfee Advance Threat Research Lab’s opening in Oregon. The facility will also be used to demonstrate potential cybersecurity threats to all forms of new technology.
Two years ago, numerous U.S. hospital systems were hacked, infecting their systems with malware that stopped staff from communicating with the computers. The hospitals paid ransom through bitcoin to regain control.
In at least one instance, when a hospital refused to pay the ransom, administrators had to shut down portions of the facility until they could regain control. Consequently, they had to move some of the patients, impacting care.
America isn’t isolated in its vulnerability to medical device cybersecurity risks. Hackers have broken into health trusts in the U.K. and Germany, as well. In most cases, the hospitals end up paying bitcoin ransoms to protect patients in their care. Some hospitals have even hired law firms to buy bitcoin in case hackers hit them with malware, which is becoming known as ransomware.
FDA Action on Medical Device Cybersecurity
In 2016, the FDA issued new guidance on medical device cybersecurity. The document indicated that manufacturers need to detect and monitor potential cybersecurity vulnerabilities in medical devices, as well as research the level of vulnerabilities and risks to patients and establish a protocol for sharing cybersecurity information among manufacturers to limit hacking risks.
The agency indicated that manufacturers should design medical device software with upgrading capabilities to be able to combat newly discovered vulnerabilities for the device’s entire lifespan. The FDA warned that products that cannot be upgraded will become obsolete quickly and put patients in harm’s way. The agency indicates that these measures will allow manufacturers to ensure medical device safety and effectiveness at all stages of deployment and distribution, as well as encourages continuous quality improvement.
Medical Device Cybersecurity Concerns
Medical cybersecurity concerns have been escalating over the past few years as vulnerabilities to healthcare organizations’ record systems and medical devices continue to surface.
Since 2014, the Department of Homeland Security (DHS) has actively investigated at least two dozed cases of probable cybersecurity flaws in hospital equipment and medical devices. According to DHS, if the medical field does not take preventative actions to strengthen its cybersecurity issues, hackers could exploit these vulnerabilities, and patients will pay the ultimate price.
Department of Health and Human Services (DHHS) manager Jason Lay says the medical field’s vulnerabilities are a significant danger. Lay indicates the possibility of hacks to medical devices are an extraordinarily real possibility, saying that hackers could potentially exploit medical devices to gain access to healthcare organizations’ health record systems.
Furthermore, a demonstration at the 2012 San Francisco RSA security conference showed researchers could hack medical devices like insulin pumps from as far as 300 feet away. Researchers further showed how hackers could take control of insulin devices remotely, overriding them to deliver lethal doses of insulin to patients without any notification.
Since the White House issued Executive Order 13536 in 2013, the FDA has worked on improving the medical field’s cybersecurity. The Order called on the private and public sectors to collectively strengthen the gap in cybersecurity infrastructures. In October 2014, the agency issued its first guidance, recommending medical device manufacturers to include strong anti-hack programs during the design stages of development.