Device Makers Combating Cyber Risks to Patient Health

Newly discovered vulnerabilities are opening up hospital medical devices to attacks from hackers that could harm patient safety and damage credibility.

Device makers are relying on information sharing and limiting access to devices as they look to prevent potential hacks.

Device security was recently highlighted by a research team from cybersecurity firm McAfee that broke into a central patient monitoring station in seconds and modified patient vital signs.

Central monitoring stations allow nurses and doctors to keep an eye on the vital signs for several patients at once. An attack could lead to patients receiving the wrong medications or unnecessary tests.

The cyberattack threat is forcing hospitals and medical device manufacturers to take new measures to protect networked devices from hackers. The average cost of a successful cyberattack across all industries is $3.8 million, according to the 2018 Cost of a Data Breach Study released by the Ponemon Institute in July.

Cybersecurity is a rapidly evolving field, and medical device software can become outdated rapidly, exposing them to hacking threats.

One way to mitigate cybersecurity risks is to limit access to a networked medical device. GE Healthcare manufactures a patient monitoring system that functions on a dedicated and isolated network and has no connection to the larger hospital network, a spokeswoman for GE Healthcare, told Bloomberg Law.

The McAfee test involved hacking into unencrypted clinical networks, and it didn’t identify any weakness that would render the GE systems vulnerable to remote hacks, the spokeswoman said.

Medical device users should also conduct frequent risk assessments of all their internet-connected devices, Richard Staynings, chief security and trust officer at Nashville, Tenn.-based Clearwater Compliance, told Bloomberg Law.

Medical devices take about five or six years to go through testing and clinical trials before they receive Food and Drug Administration approval, meaning that brand-new devices arriving in hospitals today were designed using technology that may already be out of date, Staynings said.

“Anyone connecting their 2012 Windows computer to the internet without any security software or updates would more than likely be compromised inside 10 minutes, yet that’s what we do with medical devices,” Staynings said.

Medical devices that can’t be updated or retired should be isolated from a hospital network using compensating security controls, Staynings said. Many of the larger hospital systems are turning to micro-segmentation, which keeps a tight control over access to specific medical devices, Staynings said.

Patient monitoring devices are the latest medical devices to face potential hacking threats, following April reports from the the FDA on the vulnerability of cardiac defibrillators, commonly known as pacemakers.

Abbott Labs, for example, had to issue a security patch to fix security vulnerabilities within several pacemaker models.

The threats have also hit the radar screen of the Health and Human Services Office of Inspector General, which is reviewing the cybersecurity of networked medical devices for a report that will be released by the end of September, an OIG spokesman told Bloomberg Law.

Information Sharing

Medical device manufacturers are focused on fixing cybersecurity vulnerabilities and are in the process of creating an information sharing and analysis organization (ISAO) for the device industry, Zack Rothstein, associate vice president for technology and regulatory affairs at the Advanced Medical Technology Association in Washington, told Bloomberg Law. The new organization will help manufacturers share cybersecurity threats and vulnerabilities with each other.

The ISAO is still in the development phase but will be operating by the end of the year, Rothstein said.

Awareness of the cybersecurity threat to medical devices has grown, but the actual threat has remained static, Rothstein said.

“We’re not aware of a medical device being targeted and hacked,” Rothstein said.

However, even a theoretical threat has to be treated very seriously, and medical device manufacturers are working closely with the rest of the health-care sector to prevent any hacks.

The McAfee research was presented at mid-August hacking conferences in Las Vegas. The researchers were able to exploit a software vulnerability and make real-time changes to patient vital signs, which include everything from heart rhythms to oxygen levels.

Shared Responsibility

Medical device cybersecurity should be a shared responsibility among manufacturers and device users, Rothstein said. A lot of large hospital systems have sophisticated cybersecurity policies and systems, but smaller facilities often don’t have very robust cybersecurity, Rothstein said.

There’s an ongoing debate over how cybersecurity risk and liability should be shared by device manufacturers and end users, Rothstein said. “We don’t have a good sense of how it could be done,” Rothstein said.

“This is absolutely a major concern for hospitals, but it’s unclear if it’s a real concern for the device makers as they continue to produce insecure devices,” Mac McMillan, president and chief executive officer of CynergisTek, a cybersecurity consulting firm in Mission Viejo, Calif., told Bloomberg Law.

The Black Hat and DefCon conferences in Las Vegas where McAfee presented its research showed how vulnerable some of these medical devices are, but there’s a real lack of awareness of the risks that exist in deployed devices in most hospitals, McMillan said.

In some cases, hospitals can’t even produce an accurate inventory of their devices, McMillan said.

To contact the reporter on this story: James Swann in Washington at jswann1@bloomberglaw.com

To contact the editor responsible for this story: Brian Broderick at bbroderick@bloomberglaw.com