Hacking Health: Cybersecurity in Medical Devices and Healthcare

By Audrey Lee

When you hear the term “Internet of things” (IoT), what is the first device that comes to mind? You might picture the smartphone you’ve come to heavily rely on, a fitness tracker that monitors your activity throughout the day, or even a smart home that is energy efficient. But even something as personal as an implantable medical device (such as an insulin pump or pacemaker) is becoming part of a rapidly growing number of network-connected devices.

We’re becoming more connected with the internet than ever before. Over the past two decades, computer software and internet connectivity capabilities have been incorporated into planes, cars, homes, and cities to improve the ways that we live and interact with the world around us. These devices have been influencing developments in major industries such as business and healthcare. In the latter case, they have driven advancements in technologies from medical imaging to wearable technologies.

According to some experts, by 2020 there will be over 200 billion connected things--an astounding 26 IoT objects for every human being on Earth! But as we grow more dependent on technology in our daily lives, we also become more vulnerable if the technology should fail. Just like computers connected to the internet, IoT devices are susceptible to security breaches. These attacks can be particularly scary, especially when they occur on medical devices.

For instance, think about what might happen if you rely on an insulin pump to manage diabetes. If a security breach compromises the functions of your pump, then your very life would be at risk. This hypothetical situation is actually very real: in 2016, Johnson & Johnson released a warning to patients about the vulnerability of one of its insulin pumps to cyber attacks. It was found that hackers could potentially exploit the device to deliver an overdose of insulin, resulting in life-threateningly low blood sugar. Although the FDA knows of no cases yet where hackers have exploited these devices to harm patients, these vulnerabilities still have (rightfully) raised considerable alarm.

Real cases of identity theft, ransomware, and targeted hacking have proven healthcare data and devices to be vulnerable. In 2016, a hacker seized control of the computer systems at Hollywood Presbyterian Medical Center, forcing the hospital to pay $17,000 ransom in bitcoin. Furthermore, in the case of targeted nation-state hacking, it has been shown that personal medical devices could be compromised to deliver lethal dosages to users. This topic was of great concern when former Vice President Dick Cheney had a cardiac pacemaker implanted. Cheney’s doctors needed to disable the wireless capability of his device because they feared someone could breach his pacemaker and deliver a deadly shock to his heart. The possibility of this attack was not only a risk to Cheney’s life but also a topic of concern that left an entire nation on edge—and it highlighted the danger that cyberattacks pose to the healthcare industry.

Cybersecurity is the protection of computer systems from attack, damage, or unauthorized access. It takes center stage in protecting us from the numerous and perilous risks that IoT devices possess. Unfortunately, the current state of cybersecurity in healthcare and medical devices is far from reassuring. According to the US Department of Health and Human Services’ (HHS) Task Force member Josh Corman, “What we consistently encountered was a strategic pitfall in cybersecurity environment. Healthcare cybersecurity is in critical condition.” In 2015, the healthcare industry experienced more breaches from cyberattacks than any other industry, emphasizing the grave danger cyberattacks pose—as well as the shortage of protection against them.

Despite the direness of the situation, many people are unaware of the facts on cybersecurity threats to medical devices. This lack of knowledge is a key obstacle for patients and healthcare workers who wish to push for change. For instance, misconceptions that the US Food & Drug Administration (FDA) conducts premarket tests of medical devices for cybersecurity for approval are false; device security testing is the responsibility of the medical product manufacturer. Since there are no regulations to enforce the security testing of medical devices, it becomes unclear whether the devices we receive as patients are truly safe to use. Moreover, many believe that cybercriminals only target large hospitals, but the HHS has found that all healthcare organizations are being targeted regardless of their size. This revelation is especially concerning due to the fact that three out of four hospitals—that is, the vast majority—do not have designated security persons for medical data. The misconceptions about cybersecurity in healthcare are driving a systemic and dangerous lack of action and regulation by institutions to protect patients.

On a positive note, regulatory agencies and governments have begun to address the deficiencies in the state of cybersecurity. In order to address the security needs of the healthcare industry, the Health Care Industry Task Force released a report to Congress in June 2017 outlining the flaws and necessary action items for improvement. Present challenges include the severe deficit of security personnel, equipment running on outdated operating systems, and unsecured personal medical devices that are presently used by patients. The Task Force set forth six imperatives along with recommendations for the healthcare industry to develop the security of medical devices and health IT, and improve knowledge of this issue through education initiatives. As a whole, this report addressed significant concerns and established an ongoing public-private forum to enhance protections for both the healthcare industry and its patients.

Along the same lines, the FDA has organized public workshops and formed partnerships to help protect the public health from cybersecurity vulnerabilities. It has also published guidelines and recommendations for medical device manufacturers and healthcare facilities to be more vigilant about identifying risks and hazards related to their devices, including cybersecurity. As of this year, the FDA has partnered with the National Science Foundation and the Department of Homeland Security to strengthen medical device cybersecurity through a public workshop. The recent outbreak of activity by these organizations to address these pressing issues is reassuring for the future of the IoT.

All said, it is important to keep in mind that there is much left to be done to protect the healthcare industry. Many medical devices on the market are still vulnerable to existing cyber threats, and existing devices will still be vulnerable to cyber threats if left unaltered. In the future, the private industry and the government must quickly acknowledge and tackle these vulnerabilities, and design and enforce proper regulations for the IoT as a whole.

Security threats to medical devices have been a widespread and integral topic of discussion in the cybersecurity field since the mid-2000s. However, it has taken over a decade for these concerns to be officially addressed in the healthcare industry. As technology continues to advance and proliferate in our everyday lives, it is critical that the public and private sectors work together to address cybersecurity concerns in order to maintain the welfare of patients, hospitals, and societies.
​
Audrey Lee is a Columbia Engineering sophomore studying biomedical engineering. She is a staff writer for the Columbia Science Review.