The scene from the Showtime series Homeland is tough to watch: The Vice President of the United States, dying slowly as his heart beats faster. His pacemaker – accessed and altered from some distant computer by a terrorist who'd learned its serial number – is going haywire.
It could happen, said Tim Zoph, CIO of Chicago's Northwestern Memorial Hospital, speaking at the Healthcare IT News/HIMSS Media Privacy & Security Forum this past December in Boston.
"Fact or fiction?" Zoph asked, clutching an innocuous-looking black box – a wireless transmitter used to give instructions to pacemakers – as he scanned the audience. "The fact is, they’re not secure."
As healthcare becomes more interconnected, as myriad wireless devices start linking up with complex and Web-enabled IT systems, these technologies are increasingly vulnerable – not just to hackers, but to more mundane (but no less dangerous) threats such as malware and the common computer virus.
"We’re starting to attach (medical devices) to electronic health records, and they’re not secure," said Zoph. "We’re not doing it with security in mind."
The vulnerabilities are glaring, even as the number and types of threats increase. So far neither device manufacturers nor federal regulators have been able to come up with fail-safe protections from an ever-mutating menace.
Meanwhile, patient safety for hundreds of thousands of people remains at risk.
Fixing a hole
There have been plenty of hair-raising headlines lately: "Insulin pump hack delivers fatal dosage over the air." "Pacemaker hack can deliver deadly 830-volt jolt." "Vulnerable medical devices: A clear and present danger."
"You're going to hear a lot about worse-case-scenarios, but I think patients, by and large, should be concerned about the more average things," said Kevin Fu, a professor of computer science and engineering at the University of Michigan who specializes in medical device security.
By "more average," Fu means things that could happen to a plain old PC any day of he week, thanks to something as mundane as an email that shouldn't have been opened or a link that shouldn't have been clicked.
Many medical devices run on Microsoft Windows or Windows variants, after all – an OS that's especially susceptible to security issues (so much so that Microsoft has a regularly scheduled day – "Patch Tuesday," the second Tuesday of every month – dedicated to releasing updates to plug vulnerabilities).
Infection via computer viruses is a common occurrence in households across the country. And in hospitals, too.
In a recent MIT Technology Review article, Fu said the problem is "mind-boggling." Malware, he said, is "rampant" in hospitals, thanks to devices using unpatched operating systems.
The story noted, for instance, that Boston's Beth Israel Deaconess Medical Center had nearly 700 pieces of equipment "running on older Windows operating systems that manufactures will not modify or allow the hospital to change – even to add antivirus software – because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."
As these devices get corrupted with malware, one or two each week must be taken offline for fixing, Mark Olson, Beth Israel's chief information security officer, told MIT Technology Review.
"This would make a very boring television episode – computer down! – but it does cause problems with clinical workflow, and patients can't get the care they need," said Fu. "When a medical device gets infected by malware, let's say a patient monitor, it's not available to deliver care."
Another wild card is that malware "might make the device malfunction in mysterious ways, give the wrong readings." he said.
It's "likely the healthcare professional would notice this, that the vitals are wildly off from what the patient is presenting, and correct it," Fu said. But there's always the chance that he or she won't.
At the very least, "it just makes it that much harder for the clinicians to get their jobs done when they have to deal with malware," said Fu.
Force multipliers
Dealing with a malfunctioning monitor is easy enough. Take it offline. Correct the problem. Put it back into service.
The real dangers start to arise now that healthcare, increasingly, is an interconnected business. Now that devices are linked up with IT systems, which are often connected to the Internet, the opportunities for unwanted intrusion increase significantly.
"The security of medical devices is a complicated topic," said Fu. "It's not for the faint of heart."
Recent years have marked a turning point as devices have emerged, evolved, and opened themselves up to those who might meddle with them.
"A few things are happening," he said. "There's a convergence of these new devices" – implantable insulin pumps and defibrillators, smaller and more advanced than previously thought possible – "for treating diseases that previously we didn't know we could treat."
"At the same time, these devices are becoming highly connected to networks, and sometimes to the Internet," said Fu. "These changes together have really changed the landscape."
During his January confirmation hearings, Secretary of State John Kerry called cyberterrorism "the modern day, 21st Century nuclear weapons equivalent."
And they're only getting smarter. "Twenty years ago, when you got spam or computer viruses, it might be the proverbial kid in the basement just sending it out," said Fu. "Nowadays it comes from well-financed adversaries, taking over massive numbers of computer systems."
The good news, he said, is that cyber criminals have not target medical devices yet. "But it does show that very rarely does the adversary get dumber over time. They tend to get much smarter."
"Smart pumps run software," said Fu. "They are definitely a device that should be considering security. The only good news is I haven't heard of any security problems with smart pumps but that doesn't mean there aren't any."
One's own devices
Actually, in early 2012 a professional "white hat" hacker named Barnaby Jack, then working as a security professional at McAfee, did indeed discover that certain insulin pumps made by Medtronic are susceptible to hacking.
Someone with the motive and the means, he found, could access the devices from many yards way, shut off their security protections, and flood diabetics with insulin.
“These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,” Jack told Bloomberg News. “When you actually look at these devices, the security vulnerabilities are quite shocking.”
Jack now works for Seattle-based security firm IOActive as director of embedded device security, researching protections for this new security front. His colleague, Gunter Ollmann, IOActive's chief technology officer, puts the threat in perspective.
"How real is that threat from malicious actors actually intentionally carrying these things out? I think it's very low today," said Ollmann. "I don't foresee that becoming a common occurrence."
That said, there is plenty of room for risk. Ollmann said he's more worried about accidental corruption – about the "tinkering and (potential for) misadventure" that are part and parcel of even the most well-meaning Web-based spelunking.
"When you look at these implantable medical devices, if someone wanted to attack them, there are enough proof cases on how to launch the attacks," he said. It's "the unintentional part" that keeps him up at night.
"These devices all have wireless communications, but there are controlling tools – PC-based or otherwise – that doctors or others use for updates, or sending new commands or new profiles to the devices. Those are much more vulnerable, because of their linkages to the Internet."
Fu agrees that a piece of malware or other computer bug, introduced into the hospital setting by some thoughtless employee's laptop, is the bigger risk factor.
"Certainly, the more connected the device is, the more security concerns would pop up," he said.
Ollmann wonders if it's all too much too fast, whether "the push to make these devices interconnected, with wireless communications, integrated into existing computer networks," is happening before device manufacturers – to say nothing of care providers – have a proper handle on "what the security threats are, and what the consequences of them are."
The technology, he said, "is outpacing their ability to understand what the threats are to the platforms their integrating with."
Speaking at the Clinical Engineering and IT Leadership Symposium at the 2013 HIMSS Annual Conference & Exhibition on March 3 in New Orleans, David Classen, MD, chief medical informatics officer at Pascal Metrics and an associate professor of medicine at University of Utah, made a sobering case that safety disasters involving poor device integration are "far more common than we realize."
And a technology failure, "when you have a highly IT-rich environment, changes the safety net," he said.
Even without viruses and malware in the equation, device integration, especially in areas such as ICU, is "really complicated," he added. "We were naive to think it could be solved so quickly."
Order of business
Everyone is grappling with these complex safety issues, whether they pertain to hospital integrations or outpatient implantables. Device manufacturers, especially, are trying to feel their way around this new threat landscape.
"If I had to give a school report card, I'd probably use more of a kindergarten report card: Everybody's above average," said Fu, underscoring the manufacturers' newness to these issues. "An 'A' for effort, at least."
Most manufacturers "genuinely want to improve the security of their medical devices," he said. "But they don't necessarily know how."
Ollmann echoes that verdict. "So far, we have not seen the medical device manufactures, particularly the implantable devices, have a strategy for securing these technologies."
It's not the technical hurdles, necessarily. "There are some brilliant technical people at many of these companies," said Fu. "What they have trouble doing is translating it into return on investment."
He explains that, presented with a new and different type of malfunction, "one that doesn't subscribe to a notion of probability of error, probability of occurrence, a manufacturer does not know how to interpret that. So it's a notion that's really causing a rethinking in the manufacturing community: How do you quantify this?"
When Medtronic was contacted for a comment about the insulin pump vulnerabilities discovered by Barnaby Jack, company officials directed questions to AdvaMed, the medical device trade organization of which it is a member.
"The highest priority is it's got to be safe," said Bernie Liebler, AdvaMed's director of technology and regulatory affairs, offering some insight into device manufacturers' challenges gauging probability.
"The FDA expects you to have a risk management system," he said. "The point of a risk management system is to look at all the possible things that could go wrong: the reasonable thing, the unreasonable things, the far-fetched things. You place a probability about them, and then put in place mitigations to prevent them, or at least minimize the possibility of them happening."
For a long time, said Liebler, manufacturers "have recognized that hacking is a possibility, and companies have been dealing with it."
But how intense an effort is made depends on the device, and the possible consequences, he said. "Headlines don't necessarily make things more likely to happen."
Sure, "you try to safeguard against everything. On the other hand, you have to safeguard most intensely against things that are most likely to go wrong. If you try to eliminate every single infinitesimal risk, you wind up with an unusable device, and an extraordinarily expensive device."
For his part, as a consultant, Ollmann said many manufacturers "were very reluctant to hear what we had to say from the security front."
That's something that's not uncommon when new threats emerge. Often, when companies are confronted with security vulnerabilities they hadn't considered, "their first reactions are often quite hostile," he said. "And by hostile, I mean suppression of information, bringing in the lawyers first, before the engineers."
Then, after several months of "fearful conversation and negotiation," said, "then the engineering team starts to be engaged and a more productive relationship starts to appear, and there are efforts to fix and remediate some of these technologies."
Speaking for AdvaMed, Liebler said device manufacturers have a handle on the threat. "Do I think the companies are addressing it adequately? Probably," he said. "Bubble gum and duct tape is not something that the industry believes in."
Rules and regulations
In the past few years, politicians in Washington have started paying more attention to medical device security, and pushing for more robust security measures to be encouraged and enforced.
In August 2011, for instance, Democratic Reps. Edward Markey and Anna Eshoo, of Massachusetts and California, respectively, wrote to the Government Accountability Office, requesting that it take a closer look at devices such as insulin pumps, implantable defibrillators and remote monitoring systems.
"It’s critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other’s activities and data transmissions," they wrote. "It’s also important that such devices operate in a safe, reliable, and secure manner."
