Advice from a hacker: How to safeguard medical devices from cyberattacks

The nation’s hospitals and health systems face a real threat today to the integrity of internet-connected medical devices that could result in patient harm or even death.

A coordinated cyberattack on the nation’s medical device infrastructure producing massive casualties is no longer something that exists only in the imagination of a techno-thriller storyteller. It’s now a real possibility the nation’s hospitals and health systems must take seriously and pursue proactive steps to prevent, according to Joshua Corman, cofounder of I Am The Cavalry, a cybersecurity volunteer association dedicated to public safety concerns.

In a recent conversation with hfm, Corman pointed to a 2016 ransomware attack on Hollywood Presbyterian Medical Center that effectively shut down the hospital’s computer systems, leaving the organization with no other option but to pay a ransom of $17,000 in bitcoin to regain computer access. The hospital’s CEO at the time, Allen Stefanek, offered assurances that neither patient care nor hospital records were compromised.

“But it has not taken long for many to realize the danger to hospitals, and to their patients, extend far beyond what Hollywood Presbyterian experienced,” Corman said. “A cyberattack that compromises the integrity of an internet-connected bedside fusion pump, for example, could result in a patient receiving a lethal dose of a prescribed medication. Or blocked access to results of a CT scan could impede critical life-saving care to a stroke patient, where the patient’s survival depends on the physician’s ability to quickly view the results to determine the appropriate intervention.”

Healthcare’s rising vulnerability

Prior to the Hollywood Presbyterian cyberattack, hospitals had not been among the primary targets for such attacks. But Hollywood Presbyterian “rang the dinner bell and chummed the water for the sharks,” Corman said. “What you saw was medical hospital environments go from relative obscurity to the No. 1 target of ransomware worldwide.”

Corman and his partner Beau Woods, I Am The Cavalry’s cybersafety advocate, have worked with federal stakeholders, including U.S. Department of Health & Human Services and FEMA, on crisis management scenarios involving possible ransomware attacks in hospitals and the potential for casualties. One scenario involves stroke victims, for whom physicians might have only three to four hours to save or recover brain function before either death or permanent damage.

“There’s generally two kinds of strokes,” Corman said. “There’s a rupture and there’s a clot, and imaging can be used to tell which one it is, which is critical because the treatment for the clot can save 100% of your brain function if administered in time.^[a] But if it’s a rupture, that same treatment will kill you pretty quickly. So in one of our clinical hacking simulations, we locked up access to the imaging equipment, which prevented someone who had a stroke from having time to get the proper diagnosis and treatment and be moved to a more appropriate facility.”

The results sent a clear message that the threat was real.

How we got here

Hospitals have long been vulnerable to cyber-attacks, and that vulnerability is exacerbated by the time factor, Corman said. “The challenge is it takes somewhere between six to eight years to decide to make a device, design it, make it through clinical trials, bring it through approval process and get it sold into the marketplace,” he said. “And then after that, a typical clinical deployment is 15 years depending on the device. So you have this very protracted 20-plus year window from conception through retirement, not even counting those devices that go overseas and have a secondary life.

Compare that with the time frame of a cell phone, which is meant to live for two years before it’s time to refresh and recycle it.

Another factor that increased hospitals’ vulnerability to cyberattacks on medical devices was the rush to move to digital records and meaningful use, Corman said. “Connectivity requirements were prematurely added to medical devices that were never designed to be safely connected, and it was done in a hurry to qualify for reimbursement, making the devices highly vulnerable to accidents and adversaries.”

“It was just easy pickings — like shooting fish in a barrel,” Corman said. “Because now all these older sins have come to the surface.”

Where we still need to go

Corman suggested the industry is moving toward regulatory solutions, but it’s not there yet. He characterized the current approach as “safety by luck” whereas what’s needed is “safety by design.” He noted that his organization’s efforts to effect premarket guidance began in 2013, and efforts to effect post-market guidance started a couple of years later. “But we haven’t actually seen the first devices come to market yet in this new era of increased enlightenment,” he said.

Corman pointed to what he calls the “last- mile” problem. “We affected a few medical device recalls through FDA safety communications with vendors,” he said. “And we’ve been stunned to see over the past two years that those very devices that we were proud to have identified as dangerous are still being used. Very few hospitals are heeding those safety communications and recalls. In the case of the flaws found in pacemakers manufactured by St. Jude Medical, for example, very few of the doctors are patching those flawed medical devices out of fear that the patches are riskier than the attack surface.”^[b]

Corman believes most healthcare CFOs are aware that ransomware attacks are on the rise. But he cautions finance leaders to avoid too much reliance on insurance coverage to protect their organizations from cyberattacks.

“Underwriters will be starting to ask questions about how to assess the relative risk of hospital A versus B versus C for their policy,” he said. “The insurance companies are scrutinizing what constitutes an insurable entity. If, for example, you were compromised with something that the FDA had issued a safety communication on three years prior, it’s likely you won’t be covered. And that’s because you didn’t act on that within a reasonable time frame,” he said.

“In fact, the FDA is working with us and their coordinating councils and others to finally get a technical definition of legacy and to be able to quantify percentage of legacy that could be meaningful for the CFOs,” Corman said.

He also suggested the process might be gradual, but it will lead to liabilities for continuing to use recalled devices that are known to be vulnerable.

The issue also is on the radar of the credit rating agencies. “Moody’s is looking at frameworks for assessing relative risk of hospitals,” Corman said.

Forging ahead to a safer future

Asking medical device manufacturers to supply lists of software (i.e., Software Bill of Materials, or SBOMs) to support hospitals’ efforts around procurement and active operational risk management is an important first step in addressing this cybersecurity threat, Corman said. “As the saying goes, ‘Sunlight is the best disinfectant,’” he said. 

“But that doesn’t mean these organizations will be able to automatically change things. What  we will see, at first, is a lot of really old and really vulnerable software coming to light. And that will trigger a huge response as we adapt to it.”

Corman acknowledges most device makers are trying to address the issue, but they soon will have a slightly higher bar to clear, so it will take a little while.

“I think you really won’t see the modern era of medical devices for another seven years or so,” he said. “There are some manufacturers that have a head start because they were doing these things before the FDA required it.”

Corman also expresses pride in the contributions of technical experts: “Helpful hackers, acting within the law, can make a huge difference in making devices safer.” 

3 steps for CFOs to consider

Corman recommended that senior finance leaders take three steps to begin to address their organizations’ vulnerability to these types of cyberattacks:

1. Be aware of safety communications from the FDA regarding any of their organization’s medical devices and dig in and understand their organization’s exposure from such medical devices.
2. Update and refresh any devices in their own organizations that have been the subject of such safety communications.
3. Engage the organization’s insurers and underwriters on the direction they are taking with cyber insurance regarding medical devices and ransomware.

Not taking these steps leaves an organization vulnerable not only to insurance risk but also risk to their reputations, Corman said.

Footnotes

[a] For a more detailed discussion of the different types of strokes, see “Types of Stroke,” American Stroke Association.

[b] Osborne, C., “FDA issues recall of 465,000 St. Jude pacemakers to patch security holes,” ZDNet, Aug. 30, 2017.