Networked medical devices can be vulnerable to cyberattacks.
Dr Levine is Practice Director, CCRM New York, and Attending Physician, Lenox Hill Hospital, New York. He has no conflict of interest to report in respect to the content of this article.
In late December 2016 the Food and Drug Administration (FDA) released its recommendations for how medical device manufacturers should protect and maintain the security of Internet-connected devices. The report strongly encourages device manufacturers to “address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.”1 The FDA’s concern is that “exploitation of [networked devices’] vulnerabilities may represent a risk to health” given that many patients and practitioners depend on the data and function of these devices for patient care.
In short, the FDA is concerned that devices such as pacemakers and insulin pumps could be held hostage by cyber-terrorists.
In 2015, the FDA issued a warning that Hospira Inc’s Symbiq intravenous infusion system had a security vulnerability that could allow cyber attackers to take remote control of the system by accessing a hospital’s network.2
Although no cases of pump-hijacking were reported, the FDA strongly encouraged healthcare facilities to stop using the Symbiq system and switch to other devices. However, it warned that the devices were likely still available through third-party vendors and that consumers should avoid the product.
The implications of asking a clinic, hospital, or other facility to discontinue using a device are significant. For example, Symbiq had a “connected” library that kept the device up to date and safeguarded against accidental overdoses. The FDA document regarding the pumps states, “Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.”2 Therefore, not only is the transition to a new device costly since it requires buying new equipment, but it will also require countless hours of in-service training, which is an almost insurmountable cost because it is difficult to estimate the effect on patient care.
As ob/gyns, we are incredibly dependent upon connected devices. For example, most labor and delivery units utilize networked electronic fetal monitoring allowing for centralized monitoring of patients. If a cyber terrorist were to propagate a loop of tracings instead of allowing for a live-feed of tracings, it is quite possible that the observers would be unaware of such an attack and the lives of mothers and babies could be at stake. With respect to the aforementioned infusion pumps, it is possible the Pitocin could be delivered at dangerous levels, again putting mothers and babies at risk. The potential for harm is incredible, and we need to be cyber vigilant.
In early 2016, Hollywood Presbyterian Medical Center in Los Angeles, California, was the subject of a targeted attack in which hackers shut down the internal computer system for a ransom of 9,000 bitcoin, or almost $3.7 million.3 The hospital reported that patient care was not compromised, despite the need to abandon their electronic medical record, revert to paper documentation, and divert ambulances to other hospitals. Ultimately, the hackers accepted a ransom payment of 40 bitcoins, approximately $17,000, and the hospital regained control of its internal network.4
However, the nightmare didn’t end with the public shame of admitting that they were attacked and paid a $17,000 ransom. Because the attack likely led to unauthorized “acquisitions” of personal health information (PHI), which is protected by the Healthcare Insurance Portability and Accountability Act (HIPAA), the hospital may be responsible for not only notifying all of the potentially affected patients, but also paying a significant fine unless the hospital can prove with high probability that the PHI was not compromised. What started with a multimillion-dollar demand that was whittled down to a few thousand dollars could potentially still cost millions of dollars in penalties in the end.
So, how does this all happen? How do devices get hacked and networks get hijacked? It typically requires someone inadvertently providing access to the network. This can happen if someone uses an infected thumb drive on a hospital computer, downloads a seemingly benign plug-in to give new features to a web browser, or simply responds to a “phishing” email (when a user is sent an official-looking email and enters protected information, which is routed to someone with sinister intent).
As ob/gyns increase their online presence by including our places of work on LinkedIn, Facebook, etc, posting pictures of ourselves at work on social media, and leaving other proverbial bread crumbs on public sites about what we do and where and when, we make ourselves vulnerable to targeted attacks. Hackers comb the Internet looking for tidbits about us and then use that information to target us. These attempts at contact can be in the form of an unsolicited Facebook friend request, an email with an attachment, a survey that leads to a website, or even a “free trial” of a program that requires a download. And because we network our devices (by using Gmail/Google Calendar, iCloud, Dropbox, etc), gaining access to one of them is usually all that is needed to gain access to multiple devices.
We must be hypervigilant about protecting not only our patients, but also ourselves. Whatever information we have online is potentially accessible to anyone who wants it. Inadvertent ransomware (that allows someone to take control of a network in return for a ransom), hackable connected devices (defibrillators, PET scanners, IV pumps), and cloud-based computing are all risk factors.
Changing passwords frequently, using 2-step verification (whereby you enter your password and then are asked for a separate code that is sent to your phone via text, voice call, or app), updating security software (do not decline recommended computer updates), and having an overall sense of wariness when using the Web will keep you and your patients protected from what is likely the biggest threat to American healthcare in 2017.
1. Food and Drug Administration. Postmarket Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff. December 28, 2016.
2. Food and Drug Administration. Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication. July 31, 2015.
3. Balakrishnan A. The hospital held hostage by hackers. http://www.cnbc.com/2016/02/16/the-hospital-held-hostage-by-hackers.html. February 16, 2016.
4. Hollywood Presbyterian Medical Center pays hackers $17K ransom. http://www.nbcnews.com/tech/security/hollywood-presbyterian-medical-center-pays-hackers-17k-ransom-n520536. February 16, 2016.