On the popular tv show Homeland, Vice President Walden’s hacked pacemaker became the weapon for his assassination. In an interview last year, former Vice President Dick Cheney confirmed that the possibility of his pacemaker being hacked had been discussed and the device’s wireless access had been disabled to prevent such an attack on his life. Still, this all sounds like the stuff of science fiction.
While there has been evidence of vulnerabilities in the medical equipment used widely in hospitals across the country, and several government agencies have begun to warn of vulnerabilities in networked medical equipment, the possibility of a real breach causing harm or disruption has seemed somewhat remote. Until now.
Prompted by weaknesses in their network security found during risk assessments, Scott Erven and his team of security and IT experts at Essentia Health decided to dig deeper. Erven’s team conducted a two year study to investigate the medical equipment used in Essentia’s facilities throughout the Midwest and what they found is astonishing.
Risk assessments conducted at Essentia, like those that prompted the June 2013 alert from DHS, showed problems with insulin pumps, defibrillators, and other widely used medical devices. In their extensive investigation, Essentia’s team found security holes including:
- Lack of authentication to access or manipulate the equipment
- Weak passwords set by users as well as weak or default hard-coded passwords set by the vendor – passwords like “1234” and “admin”
- Embedded web servers and administrative interfaces that make devices obvious and vulnerable to a breach within the network
The investigators were able to gain access to refrigeration systems, storage systems for x-rays and other medical imaging devices, and they were even able to turn surgery robots off and on. But the most disturbing vulnerabilities they found included infusion pumps with web interfaces to allow nurses to change dosage had weak password protection. CT scan equipment could be accessed to change config files to alter radiation exposure levels. And, “as seen on TV,” implantable defibrillators could be controlled with the ability to send a shock to the patient as if the device was responding to a cardiac event.
With the exception of a defibrillator, most of the possible scenarios created by the vulnerabilities detected could not be exploited in a targeted attack. But the possibility of random attacks using these devices, compounded by easy access to the networks, could be deadly. Hackers could gain access to the network from within the hospital or through a phishing attack that allowed them into one employee’s computer and thereby manipulate any connected device.
Responsibility for the underlying issues creating the vulnerabilities that were discovered may lie with the vendors but hospitals and treatment facilities are the ultimate targets for hackers to manipulate the equipment. While vendors and regulators need to address problems before equipment reaches the hospital, there is no consensus yet as to how to make these devices more secure. So what can hospitals do now to reduce the risk of a breach or incident from exploited medical devices?
Improve Network Security to Reduce Risk to Medical Devices
Given the extent of vulnerability found in Erven’s investigation, any hospital or facility that has not had a thorough risk assessment recently, should consider conducting a similar investigation and taking necessary steps to increase the security of their entire network. Access to the devices within a facility usually requires access to the network which is the responsibility of the hospital, not the equipment vendor, to keep secure.
Risking a data breach that can affect HIPAA compliance is enough cause for concern. In light of these recent findings, an unsecure network could jeopardize much more than ePHI. Ignoring such security gaps could put your patients’ very lives in danger.
Train Employees to Keep the Focus on Security
Once steps have been taken to identify and correct weaknesses in network security, employees need to be trained to understand the risk, identify threats, and thwart any attempts to gain access through their own profiles, emails, or user accounts on the network.
If policies and procedures are not up to date or if staff has not been adequately trained and recently retrained, this would be a good time to make updates and schedule a mandatory training or refresher. If you have been lax about training new staff or remiss in retraining long-time employees, both could pose unnecessary vulnerability for the organization as well as put your organization out of compliance.
Insist that Regulators and Vendors take these Threats Seriously
While regulators grapple with how to respond to these revelations, vendors are sometimes slow to accept responsibility. Many vendors have argued that making a change (such as removing the hard coded passwords from the device once it has been delivered to the facility) could necessitate that re-approval be sought under FDA guidelines. However, the FDA’s Device Regulation Guidance document states that FDA review is “usually not” required prior to implementing a software patch to address a cybersecurity vulnerability.“In general, FDA review is [only] necessary when a change or modification could significantly affect the safety or effectiveness of the medical device.”
Regardless of where the vulnerabilities are found, responsibility is shared between vendors, providers, and regulators to address such serious threats to data and patient security. Being the patient-facing users of the devices, however, providers may need to drive the issue to a more secure and safe future for patients.
If Loricca can help your organization get started with a risk assessment and planning the appropriate steps to ensure network security, please contact us to learn more.