Homeland Security Warns of Medical Device Hacking

Shortly after the May 2012 CardioSource WorldNews featured a report on the potential hacking of medical devices such as pacemakers and ICDs, the federal government issued a security bulletin warning of “new vulnerabilities to patients and medical facilities.” The report cited sources for the story who had previously demonstrated in public how an individual can shut off medical devices remotely without the user’s knowledge.

At risk are medical devices that collect, store, analyze, and then act on information, usually remotely and often wirelessly. Most are in use within medical centers, but others are being deployed in patients for distance monitoring and interrogation. Since wireless medical devices are now connected to medical information technology (IT) networks, these IT networks are remotely accessible through these medical devices.

The great majority of these devices were designed when security was not yet a priority. While some consist of proprietary operating systems that are not vulnerable to common malware, many are vulnerable during routine software updates when an individual with malicious intent can take advantage of these updates to gain access and thus manipulate these devices.

Of Pads and Phones

The bulletin, from the National Cybersecurity and Communications Integration Center, a part of the US Department of Homeland Security, also expanded what the report referred to as the “attack surface,” by noting the widespread use of digital devices that often are less secure than the networked systems with which they interact. This includes the growing use of portable devices such as iPads, smart phones, and laptops with wireless capability. The widely popular products are being used with increasing frequency by healthcare professionals and in direct patient care settings, including in hospitals, where physicians use them to discuss health care information such as clinical tests, x-rays, and lab results with their patients in real time.

The report also cited “poor smartphone configuration” that increases malware-related risks during the syncing and transferring of data with a personal computer or during unscanned downloads. The bulletin states: “Smart phones with poorly designed security protections are frequently connected to medical IT networks and provide a new vector for malware transmission.”

Other areas where vulnerability is a concern:

  • Home health care, where patients may have minimal or outdated home network security
  • Physician group practices, which, the report stated, “may be the least able to properly configure and regularly maintain their networks”
  • Health insurance companies, which often handle the most sensitive patient care and financial data
  • Electronic patient records

    The document suggests that health care IT administrators can reduce risk to the patient who relies on a medical device and ensure that patient information is secure through established policies and procedures. “An overall strategy will be the foundation for securing MDs (medical devices) used by medical professionals and the patients that require them.”

More Than Theoretical

Kevin Fu, PhD, an assistant professor in computer science at the University of Massachusetts Amherst, demonstrated a proof-of-concept attack at an Emory Tech Conference on how to illicitly access an implanted medical device. He pointed to the growing number of pacemakers and defibrillators that communicate via the Internet using a short range wireless link.

Dr. Fu showed that a device could be built with off-the-shelf components allowing illicit communication with a device. The exploit was possible due to a communications feature left active in the device intended to be used during quality control at the manufacturing stage but which had not been turned off. The only additional information needed to gain access to the device was the patient’s name. This access could allow a malicious actor to reprogram the defibrillator, deliver a shock to the patient’s heart, and/or disable the power-saving mode causing the battery to run down in hours rather than years.

In the original CSWN report, Stuart McClure, McAfee’s global chief technology officer, noted that one public hacking target might be a large crowd, such as at a sporting event stadium, where antennas could send information packets to invade and co-opt devices. Imagine a bevy of chaotic heart rates or ICD shocks in a large crowd.

However, the Homeland Security warning noted that the problem is more than hypothetical, citing more than 181 cyber-attacks against medical devices used by the Veterans Administration alone. The solution, in part, included placing in excess of 50,000 devices on separate VA networks, isolating them from the main network in order to protect both clinical information and devices.

What can be done? Among the report’s recommendations:

  • Purchasing medical devices with well-documented security features
  • Operating well-maintained firewalls and intrusion-detection techniques
  • Establishing strict policies for the connection of any networked devices, particularly wireless devices (such as laptops, tablets, USB devices, PDAs, and smartphones), such that no access to networked resources is provided to unsecured and/or unrecognized devices
  • Implementing safe and effective patch and software upgrade policies

Editor’s Note: The National Cybersecurity and Communications Integration Center bulletin included 20 references, nearly all of which include a URL link. To access a complete copy of the report and references, visit here.

Keywords: Patient Care, Defibrillators, Quality Control, X-Rays, Software, Heart Rate, United States Department of Veterans Affairs, Electronic Health Records, Microcomputers, Information Services, Delivery of Health Care, Insurance, Health, Tablets, Group Practice

< Back to Listings