Upsides and Downsides of Medical Device Hacking
By Eric Buzz Hillestad
Hacking devices has been something people have done since the birth of technology. Making something perform an unintended function or malfunction is at the heart of every hacker.
But the word ‘hacker’, itself, didn’t always have the negative connotation it does today. In the 1980’s, a hacker was someone who could make a piece of legacy software operate with new functions and features. Some companies lived and died by their hackers’ abilities. Fast forward to recent times when medical devices that perform critical tasks for patients are being connected with communication devices. Insert hackers into these devices and we have a formula for both innovation and malfunction with some serious ramifications.
The biggest danger is obvious – compromised patient safety. Wired published an article last April titled, “It’s Insanely Easy to Hack Hospital Equipment”. A man by the name of Scott Erven and his team of researchers at SecMedic were allowed access to a large Midwest hospital system for a period of two years to perform their research.
What they found was horrifying to many. Erven and his team found defibrillators that can be accessed through Bluetooth to deliver unnecessary shocks to a patient’s heart, temperature settings on refrigerators that store drugs and blood that can be modified, insulin pumps that can be remotely changed to deliver far too much or too little medicine, and devices and equipment that can be reset to change configuration settings.
On the up side, some frustrated parents of kids with type 1 diabetes have used hacking to
innovate. “Citizen Hackers Tinker with Medical Devices” in a September issue of the Wall Street Journal describes how a group of software developers, all of whom had children with diabetes, worked to find a way to monitor their childrens’ insulin levels over the Internet. The system is called NightScout and allows hackers to have readings from Dexcom glucose monitors sent to a series of communications devices, including a custom-made smartphone app.
Unfortunately, there is a downside to this kind of innovation. The same system that enables these parents to monitor a child’s glucose over the Internet also opens up the attack surface of the devices from merely being next to the patient to anyone with access to the Internet.
The FDA is well aware of the risks and benefits. In October, the FDA released their finalized Cybersecurity Guidance covering what is required for new medical devices from both manufacturers and healthcare systems using the devices. For current devices, the guidance includes an identification of assets, threats, and vulnerabilities; an assessment of the impact of vulnerabilities on device functionality and end users/patients; an assessment of the likelihood of a threat and a vulnerability being exploited; a determination of risk levels and mitigation strategies; and an assessment of residual risk and risk acceptance criteria.
The FDA also recommends that medical device manufacturers give justification in their premarket submissions for the security functions they choose for their products. Some examples include limiting access to trusted users through such methods as authentication, strong password protection, and physical locks, and ensuring trusted content by restricting software or firmware updates to authenticated code.
The bottom line, get these devices into your risk assessment process and make sure that risk remediation is happening at some level. In some cases, putting devices on segregated networks or changing default passwords can make a world of difference. In other cases, the only way to control access to certain radiology devices and software is to put them behind their own firewalls and turn off communication options that aren’t needed such as Bluetooth. For many large systems, the major issue is first locating all the devices and finding out just how many of them are in their environment.