Medical devices could be lethal in hands of hackers

It is embarrassingly easy to hack medical devices, experts warn, creating a new security threat that could have life-or-death consequences. 

Among the many devices vulnerable to hackers are drug infusion pumps, which could be jimmied to deliver a lethal dose, anesthesia machines and Pacemakers.

{mosads}Many medical devices are produced by legacy companies that are new to designing software. Others are made by startups that have to bootstrap costs. The end result is that most medical devices are designed with open-source code that is easily hacked with malware.

The good news, researchers say, is that most hackers aren’t looking to disable a pacemaker or zap a CT patient with a huge dose of radiation. Typically, they just want an entry point into a hospital’s system to steal valuable healthcare records to sell on the dark Web.

Still, it’s entirely without the power of hackers to “brick” a needed medical device or shut down a hospital network, preventing doctors and nurses from providing care.

The risk is serious enough that former vice president Dick Cheney had his Pacemaker disabled in 2013.

The danger of medical device hacks has caught the attention of Capitol Hill. Earlier this month, Sen. Barbara Boxer (D-Calif.) sent a letter to the country’s five largest medical device makers expressing “serious concerns that the cybersecurity vulnerabilities in medical devices are putting the health and safety of patients at risk.”

Boxer cited one of the best-known vulnerabilities in the device world: A drug infusion pump made by Hospira that doesn’t adequately protect the product’s internal drug library.

Drug libraries act as a safeguard for human error by setting an upper and lower boundary for dosages. Since the device’s drug library is unguarded, a hacker could theoretically upload a new one into a Hospira device’s system. That would allow a care provider to accidentally set the pump to give a patient too low or high of a dose.

Although there was no evidence of hackers exploiting the flaw, the Department of Homeland Security and the Food and Drug Administration (FDA) advised hospitals to discontinue using the device. The manufacturer discontinued the system for what it said were unrelated reasons.

The security researcher who discovered the flaw early last year — a so-called “white hat hacker” named Billy Rios — has been outspoken about just how behind the curve the medical device industry is in guarding against hackers.

He is regularly invited by hospitals to dig through a suite of devices used in the facility and identify security vulnerabilities — and the results are invariably bad, he says.

“When people ask me to do something like this, they already know what the result is going to be. They’re just looking for someone to prove it,” he told The Hill.

One of the biggest problems in ensuring medical devices are secure is the lengthy development time they are put through. 

It can take anywhere from 18 months to 10 years to make a medical device, according to Stephanie Domas, the lead medical security engineer at the nonprofit R&D organization Battelle. But the speed with which cyber threats are discovered and patched moves much faster, creating an almost-insurmountable lag time.

Domas described how that lag time puts vulnerable products on the market.

“In the first year, your goal is to have your hardware board designed,” she said. “So you’re going to use your best security practices at the time when you pick that hardware, then you move on to software. But five years later, after you’ve picked those chips, they’re essentially obsolete. But you can’t redesign your board. You’ll run out of money.”

Another challenge is the long life cycle of the devices once they are in a hospital. It’s not at all uncommon for hospitals to use the same equipment for 10 to 15 years after its original release — the cybersecurity equivalent of a lifetime.

The FDA is starting to mobilize to combat the threat, although some say the agency is not moving quickly enough.

The agency published industry guidance in 2014 recommending that manufacturers incorporate cybersecurity into their design processes, and earlier this year released draft guidance for managing the post-market discovery of vulnerabilities.

Up until then, HackerOne chief policy officer Katie Moussouris told The Hill, many manufacturers didn’t realize they wouldn’t have to go through the entire FDA approval process again if they issued a security patch — so even known bugs were going unfixed. 

Complicating the problem is that hospital data is a magnet for hackers seeking to make money off their skills. Health records can sell for up to five times the cost of credit card information on the dark Web, making them a valuable commodity.

“Most people immediately jump to the patient harm, but that is not usually [hackers’] goal. Their goal is how can they get something that monetizes, or how can they can pivot into the greater hospital network,” Domas said.

But Rios is mystified that so many in the security community believe that stealing records is as far as hackers would ever go. 

“Attackers do want money, but they use leverage,” he said, citing the recent example of a California hospital whose data systems were held ransom to the tune of $17,000.

Hackers used a kind of virus called “ransomware” that encrypts data on an internal computer system and allows hackers to demand payment in exchange for a decryption key. The hospital, desperate to regain access to its patient records, paid the ransom.

Rios said hackers could exploit medical devices in the same way. Hackers could disable a certain commonly used piece of equipment, like an MRI machine, effectively withholding needed care.

“Threatening harm to somebody is a pretty huge ransom,” he notes.

“We would be naive to think that people won’t take advantage of the unique things in healthcare,” Rios said. “The game is going to be escalated.”