etworked “smart” devices are poised to revolutionize health care, from infusion pumps that provide essential safety checks for the medications they deliver to multimillion-dollar robots that allow for more precise surgery and Bluetooth-connected pacemakers. But with these new opportunities come new risks — especially in a vulnerable setting such as a hospital.
This was brought to the fore last spring when the WannaCry ransomware attack roiled the British National Health Service, going so far as to disable CT and MRI machines used for crucial diagnostic procedures. Another ransomware attack, called Bad Rabbit, recently started spreading around Eastern Europe with the potential for similar damage.
Physicians are often quick to embrace the latest high-tech tools, and it is no secret that technologically advanced hospitals can have a competitive advantage in attracting patients and recruiting talented staff. But even a superficial study of some of the risks of these connected devices reveals how poorly understood they really are and how easily they can be compromised.
Take robotic surgical systems. As a test, researchers at the University of Washington in 2015 hacked into and maliciously controlled the Raven II Surgical Robot, which can be operated from afar. While the possibility of an evil genius commandeering a robotic surgical system seems a bit far-fetched, malware reportedly slowed down fetal monitors used on women with high-risk pregnancies at one hospital.
There is no doubt that benefits of the “connected hospital” are substantial. Human error can be a major contributor to patient harms and could potentially be reduced by using smart devices, say to prevent the delivery of a harmful dose of medication. Faster information flow from these devices can provide vital information at a once-unimaginable rate. Smart devices can incorporate advanced monitoring and safety routines. And doctors can use networked technology to get real-time feedback on performance metrics: a surgeon, for example, could remotely observe and provide real-time guidance during an operation. What’s more, remotely operated robotic surgery systems could give patients lifesaving care in areas of the world where few surgeons are working. However, the fact remains that advanced devices come with advanced risks.
To date, malicious cyberattacks on medical devices have not caused serious harm to patients. The potential however, is real. In a move that recalled a major plot point in a 2012 episode of “Homeland,” the Food and Drug Administration recently approved the recall of nearly 500,000 Abbott pacemakers to address the risk of patient harm due to exploitation of cybersecurity vulnerabilities. While an attack scenario that targets these pacemakers is unlikely, sabotaged medical devices could easily throw the disjointed American health care system into disarray, potentially harming millions of men, women, and children who rely on these devices. And given the high stakes of many medical procedures, the consequences of such attacks on networked devices could literally be lethal.
The FDA has recently begun to address the issue of cybersecurity in medical devices, and over the summer Congress began considering legislation to ensure that manufacturers make embedded systems conform to information security standards. So far, though, security has not yet become part of the formal approval process for medical devices, and current hospital accreditation standards don’t require hospitals to secure embedded systems. A recent industry survey found that more than 90 percent of health care information technology networks employ networked devices. It also found that 70 percent of hospital information technology decision makers incorrectly believe that the same software security tools used to safeguard computers and servers work for these devices.
In other fields, it is relatively straightforward to follow the Cybersecurity Framework released by the National Institute of Standards and Technology. This consists of five functions: identification, protection, detection, response, and recovery. Traditional connected devices are easy to locate and identify because they remain in one place for the duration of their use. Likewise, protection can consist of preventing access to them from an external network, and if security tools detect a malware infection, they can be taken offline to prevent the infection spreading to other devices.
The challenges of securing devices in a health care setting are substantial. Unlike industrial systems and security cameras, many medical devices must be moved throughout the hospital and even, in the case of devices like pacemakers, taken home. This mobility makes it difficult to locate the device on the network, which makes monitoring for attacks more challenging. In addition, we rely on these devices to function safely and reliably in all situations. Since lifesaving devices must continue functioning despite a malware infection, responses to a detected infection must first focus on patient health, then on preventing an attack from spreading.
Another difficulty is that health care devices not currently in use may be needed at a moment’s notice, such as an emergency department’s CT machine. While patches provide important security updates, they require the device to be out of use for the duration of the installation process. This means that the timing of an upgrade must be chosen carefully. Software systems can automatically install security updates over a network connection, relieving hospital personnel of the task, but these must be implemented with safeguards in place so as not to risk downtime when devices may be required.
These challenges are large but not unsurmountable. Stakeholders are starting to support security improvements and regulators are increasingly acknowledging these issues. For example, in response to concerns that installing security updates to devices would require companies to repeat the labor-intensive process of getting them re-approved, for example, the FDA recently took steps to reduce regulatory barriers around installing security patches.
That advanced medical devices bring with them advanced risk does not mean that we take connected devices offline or halt technological advances. There is too much opportunity for connected devices to benefit patient care to wait for devices to be perfectly secure. But as we become ever more reliant on networked high-tech medical devices, we need to make sure that devices security is recognized as being on par with device reliability and safety.
Rather than waiting for adverse events and reacting reflexively, health care providers, hospitals, regulators, and even patients should understand that these risks exist, learn from other fields, and take steps to systematically and proactively improve the safety of this important class of medical devices.
Alexander P. Cole, M.D., is a physician in the Division of Urological Surgery at Brigham and Women’s Hospital and Harvard Medical School in Boston. M. Carlton is vice president of research at Senrio, Inc., an embedded systems security company based in Portland, Ore. Quoc-Dien Trinh, M.D., is a physician in the Division of Urological Surgery at Brigham and Women’s Hospital and Harvard Medical School in Boston.