WHEN WILL YOUR PACEMAKER BE HACKED ?
In 2013, the Washington Post (among other news outlets) reported that Vice President Dick Cheney’s cardiac pacemaker had its wireless capabilities disabled when implanted in 2007 to eliminate any potential cyberintrusion threat (Peterson, 2013). This old headline, with the more recent U.S. Food and Drug Administration (FDA) cybersecurity alert that the Hospira Symbiq Infusion System was hacked in 2015 (U.S. Food and Drug Administration, 2015), has many hospital leaders wondering whether they have the risk of medical device cyberhacking under control. General consensus is they don’t.
Many information technology (IT) leaders certainly have many cybersecurity risks under control: passwords are required, servers are secured behind locked doors, policy has been established if any protected health information is sent to a wrong e-mail address or hacked. However, these practices have largely been applied to network infrastructure and the electronic health record (EHR). A medical device, such as a vital signs monitor or an infusion pump, is a cybersecurity threat vector that probably has not been subjected to the same risk-mitigation scrutiny.
To start addressing these issues, FDA hosted a public workshop January 20 and 21, 2016, called “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” (U.S. Food and Drug Administration, 2016). The FDA, in collaboration with the National Health Information Sharing Analysis Centre, the U.S. Department of Health and Human Services, and the Department of Homeland Security, brought together diverse stakeholders to discuss complex challenges in medical device cybersecurity that affect the medical device ecosystem.
Know Where the Threats Lurk
As we know, medical devices are no longer just machines attached to or used by the patient. They are often connected to the EHR—either hardwired or wirelessly. A typical patient in a critical care unit could easily be connected to ten or more networked devices. While the information on the medical device may not be useful to a hacker, the medical device can be used as a conduit for accessing patient information in the EHR, like home address and social security number, which can be used to perpetrate identity theft or real theft in the patient’s home while the patient is hospitalised. Potential threats in medical devices include the physiologic monitor that runs on an outdated operating system, the ventilator with a USB port, and usernames and passwords for the vendor’s field service engineers and in-house technicians that are hard-coded. Other industries largely solved these types of issues years ago.
As a further example, in-house biomedical engineering technicians and vendor field-service engineers typically have administrative rights to access performance records and to apply service diagnostics. These are typically not a managed credential and at many hospitals are the same for everyone with this level of access to the device. What happens if a technician or field service engineer leaves the hospital or the vendor? The password leaves with the person, with no hospital policy or procedure to update the access codes. In its 2015 Cybersecurity Survey, the Healthcare Information and Management Systems Society (HIMSS) noted that user-access control security solutions were implemented in just 55 percent of responding hospitals and mobile device management tools and that access control lists were implemented in only 50 percent of respondents (Healthcare Information and Management Systems Society, 2015).
Also, at many hospitals, no clinical engineering or IT staff can tell you which medical devices connect to the EHR, how they connect, or what version of operating software is running on each device. Often, basic security information is nowhere to be found regarding medical devices used in patient care.
What to do
clinical engineering, IT, and risk management staff when creating
cybersecurity policies and procedures;
assess medical device cybersecurity risks. Working with manufacturers as
- Keep up
with the latest updates and patches for operating systems and anti-malware
network access to medical devices through the use of a firewall or virtual LAN;
- Audit the
log-in process to all medical devices to ensure that an access-control method
is being followed;
- Set up a
process to monitor and report on cybersecurity threats and events.
Include the Right Stakeholders to Create Policies and Procedures
In its Top 10 Health Technology Hazards for 2015, ECRI Institute recommended that a hospital or health system clinical engineering, risk management, and IT departments jointly take these steps to mitigate cybersecurity threats. Also, medical device security should be thoroughly vetted during the purchasing process of all medical devices and equipment, with a team that includes clinical engineering, IT, and risk management personnel to assess what the vendor has done regarding design and policies for patch and update management. One resource to aid in this process is the Manufacturer Disclosure Statement for Medical Device Security questionnaire developed by HIMSS and the American College of Clinical Engineering, and then standardised during a joint effort between HIMSS and the National Electrical Manufacturers Association. It provides medical device manufacturers with a means for disclosing to healthcare providers the security-related features of the medical devices they manufacture.