AAMI: Hospital networks not immune to cybercrime

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
SAN ANTONIO—Virus experts have yet to document a deliberate electronic attack on medical devices. However, the “collateral damage” of viruses has infected the medical community, according to Axel Wirth, healthcare solutions architect at Symantec, during his presentation at the Association for the Advancement of Medical Instrumentation (AAMI) conference & expo June 25.

Wirth detailed the alarming trends of cybercrime and their potential impacts on medical networks and networked medical devices.

While there haven’t been deliberate attacks on hospital networks as of yet, the medical community should take the proper precautions to make sure their networks are as secure as possible, he said, because attacks on the healthcare industry are not unrealistic.

The Epilepsy Foundation was the recent victim of a cyber attack, when its website was vandalized with flashing images that showed up on the homepage. The intent of the perpetrator, Wirth noted, was clearly malicious.

“Going from there to a medical device is a small step,” Wirth said.

With both highly sophisticated viruses capable of entering medical device systems—or even entire hospital departments—and an “exponentially increasing” number of viruses entering the internet annually, the risk, when applied to medical equipment is substantial.

“For example, defibrillators or implantable pacemakers, their code can be broken. They can be reprogrammed and made to respond improperly,” he said. “There are certainly some possible scary scenarios.”

The number of internet-connected devices increases in everyday products, and the number of networked medical devices is growing alongside those advances. Wirth said that anywhere from five to 10 times the number of medical devices include intelligent networking capabilities, compared to traditional IT systems in the past, and currently anywhere from 20 to 40 percent of medical devices are already networked.

The HITECH Act is a driving force behind networked medical devices, Wirth noted, but while there are substantial benefits to the technologies, there are also inherent risks. As more devices become connected, our dependence on them increases as well.

Notably, the motivations behind cybercrime have changed. Early viruses were often perpetrated by college students aiming to achieve notoriety for their attacks, but later perpetrators were aiming for profits by attempting to steal personal information, Wirth said. Recently, cyber criminals have been wreaking havoc for political motivations.

“This is a new ballgame, these are not college kids anymore. There is money and political motivation behind it. With every new year, we see more viruses than the total number in the previous year,” Wirth said.

He stressed the potential dangers with regard to healthcare.

“The most recent statistic I’ve seen is that healthcare is now the leading industry in terms of data breaches,” he said. “Granted, that figure is enhanced by the fact that healthcare is one of a few industries that has mandatory breach reporting.”

Wirth recommended that healthcare professionals be aware of the risks, as well as appropriate methods to manage security. Antivirus software now employs multiple strategies to amplify protection, and Wirth advocated a security approach called “white-listing” for single purpose devices. White-listing involves locking down a device strictly for its intended purpose.