Hackers, Implantable Devices & Threats to Health Systems

Terrorists get their hands on the serial number of the vice president’s pacemaker. Then, from a remote location, they hack into the device, delivering a series of shocks to bring on the heart attack that kills him. The storyline from the political drama Homeland—with shades of the 2013 news that former Vice President Dick Cheney’s cardiologist disabled the wireless capabilities on his pacemaker to prevent hacking—made for great television. But experts on implantable cardiac devices say it wasn’t exactly an accurate portrayal of their concerns about cybersecurity.

“There’s perhaps a lot of concern, but maybe we need to be more realistic of the likelihood of an actual attack,” says anesthesiologist Julian M. Goldman, MD, director of the Medical Device Interoperability Program at Massachusetts General Hospital and medical director of Biomedical Engineering for the Partners HealthCare System in Boston. “One has to look at the whole system and not just look at the implantable component.”

Television plotlines and prominent world leaders notwithstanding, the cybersecurity risks for implantable cardiac devices seem to be generally the same as those for other types of medical devices. A greater risk than hacking individual devices, experts say, is using the devices to connect to a larger network of health data. By breaking into these networks, hackers have held health systems hostage until ransoms—reportedly as high as $18,500—have been paid.

There’s concern that a hacker could break into a pacemaker and shock the patient because, even though it hasn’t been done, it could be—with a lot of effort, says Rob Maliff, director of the applied solutions group at ECRI Institute, which placed medical device cybersecurity on its 2016 hospital watch list. “But what we’re all realizing is that gaining access to other systems is really the more frequent attack.”

[[{"fid":"22821","view_mode":"media_original","type":"media","attributes":{"height":512,"width":600,"style":"font-size: 13.008px; width: 180px; height: 154px; margin: 5px; float: left;","alt":" - b-knight","class":"media-element file-media-original"}}]]

Cardiac devices & cybersecurity

In the 2008 paper, Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, researchers found that implantable cardiac devices were potentially susceptible to attacks that could violate patient information or even alter the devices (Proceedings of the 2008 Institute of Electrical & Electronics Engineers Symposium on Security and Privacy 2008;129-142). “We were working on an assumption at the time that these devices ought to have at least better security than a credit card,” says one of the authors, Kevin Fu, PhD, who is now director of Archimedes Center for Medical Device Security at the University of Michigan. At the time, he says, they didn’t.

It wasn’t that cardiac devices were particularly susceptible to attacks compared with other medical devices, Fu says. It’s just that at the time they had been relatively unexplored from a computer security standpoint. Cardiac devices are one subset of thousands of medical devices, Fu says, and there’s no one-size-fits-all approach to device security. “They all have very specific risks and consequences,” he says. “There are bedside devices that are relatively innocuous that have greater consequences because of their sheer number.”

Among cardiologists, there’s a wish list of tools that could aid in their practice—a universal programmer for pacemakers, for instance—but appear impossible due to their potential cybersecurity risk, says Bradley Knight, MD, a cardiologist and medical director for the Center for Heart Rhythm Disorders at Northwestern Medicine in Chicago. “It would be great if you could remotely reprogram devices, but that’s where I think the safety risk comes up,” he says. “There’s an agreement that it would be too risky to remotely reprogram rather than just interrogate.”

Medical devices on the whole haven’t been subjected to the same risk mitigation scrutiny as information technology (IT) networks and electronic health record (EHR)

systems, ECRI’s Maliff says. “The solutions or monitoring hasn’t been up to date,” he explains.

A cardiac monitoring system, such as an electrocardiograph, could serve as a vector for attacking the EHR system it’s connected to, Maliff says, though we don’t know if that has actually happened. But health systems have been victimized by ransomware attacks, in which hackers take control of EHR systems until they’re paid ransom in Bitcoin.

The bottom line: when individual medical devices—cardiac devices or others—are connected to a larger network, Maliff says, “any one of them could be a threat.”

FDA guidance & what it means

Due to the security vulnerabilities made evident over the last decade, Fu says, it’s become clear that there is no quick fix. “I view this as a long-term problem,” he says. Regulations and standards bodies are putting significant effort into improving security and privacy. “It’s no longer just lip service,” he adds.

The FDA already requires device manufacturers to perform risk assessments and hazard analyses of their devices and correct or remove products that could cause serious adverse events, says Suzanne Schwartz, MD, MBA, acting director of medical countermeasures for the FDA’s Center for Devices and Radiological Health. “The FDA’s regulatory authority includes premarket review and postmarket surveillance of medical devices,” she says. “If medical device cybersecurity controls are found to be inadequate, the agency can and has requested design changes from manufacturers and has delayed the clearance or approval of devices.”

In January, the FDA issued a draft guidance on postmarket management of medical device cybersecurity. “Manufacturers should remain vigilant and continuously monitor and manage cybersecurity risk to protect patients from potential harm,” Schwartz added. “Manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program.” This would include monitoring for and assessing cybersecurity vulnerabilities, developing protections against risks and adopting disclosure policies.

The FDA’s guidance should prove helpful for manufacturers and hospitals, Goldman says, but it’s too early to estimate its impact. “We’ll have to see how the market will respond,” he says.

Risks & responsibilities for manufacturers & health systems

Most of the onus for protecting devices against cybersecurity risks falls on the manufacturers. From the FDA’s perspective, Schwartz says, manufacturers need to address cybersecurity vulnerabilities throughout the total product lifecycle. “This means building security early on in the design phase, addressing security in the premarket submission for new products, and ongoing postmarket surveillance with proactive vulnerability management,” she explains.

Medical devices should have their own vulnerability announcements, Maliff says, just as there are food recalls by the U.S. Department of Agriculture and product recalls by the Consumer Product Safety Commission. “If we learn how we can improve our device safety, that’s something that everyone needs to know,” he says. “This whole idea of the culture of safety, it needs to be expanded to the device supply world.”

Health systems should have proactive relationships with their device manufacturers to understand device security risks and develop strategies to address them, Schwartz says. “Healthcare facilities are encouraged to consider including device security in the procurement contracts and servicing agreements of their medical devices,” she says.

Hospitals need to ensure their devices are updated with the latest software and patches, Maliff says. Traditionally, medical devices have been under the purview of clinical engineering departments while IT is overseen by the hospital’s chief information officer. Both have different approaches to risk management so they need to work together.

[[{"fid":"22820","view_mode":"media_original","type":"media","attributes":{"height":512,"width":600,"style":"font-size: 13.008px; width: 180px; height: 154px; margin: 5px; float: left;","alt":" - j-goldman","class":"media-element file-media-original"}}]]

Cybersecurity vs. interoperability

As cybersecurity threats to medical devices are coming into sharper focus, there’s a parallel movement to make those same devices more interoperable. “There is an apparent tension between increasing interoperability and cybersecurity,” Goldman says, “because naturally one would think that the more connected things are, the easier it might be for cybersecurity issues to come up.”

Yet the bigger picture shows interoperability and cybersecurity to be complementary, in Goldman's view. “The zero sum gain of interoperability and cybersecurity is misleading,” he says. In fact, he adds, the absence of interoperability in medical systems “is clearly affecting our ability to improve the quality and safety of healthcare delivery.”

Most medical devices are connected to a computer for intermittent updates, if not a network, Goldman says. “Cybersecurity risk exists whether or not devices are networked,” he says. So effective, well-developed interoperability would support enhanced cybersecurity because baselining and monitoring are important parts of a risk mitigation strategy.

How do federal officials intend to balance the goals of more interoperability with cybersecurity threats? “Manufacturers of networked medical devices, including interoperable devices, are expected to address cybersecurity risks throughout the total lifecycle of the product,” Schwartz says. “The FDA has been working to provide clarity on interoperable device design and medical device cybersecurity management through guidances, workshops and direct engagement with manufacturers and other stakeholders.”

For cardiologist Knight, one big concern is that he needs to manage dozens of passwords and security codes—for EHRs, remote monitoring systems and other devices—just to do his job. “It’s led to a lot of complexity,” he says, “but we all understand that the reasons behind this are to protect patients.”

But, Knight adds, allowing EHR systems to interface with remote monitoring systems would negate the time-consuming process of logging into each system, flagging any issues, creating a document and uploading it to the health record. “It could be more streamlined to make the workflow much more efficient than it is,” he says, “I think with very little security risk.”