Networked “smart” devices are poised to revolutionize health care, from infusion pumps that provide essential safety checks for the medications they deliver to multimillion-dollar robots that allow for more precise surgery and Bluetooth-connected pacemakers. But with these new opportunities come new risks — especially in a vulnerable setting such as a hospital.
This was brought to the fore last spring when the WannaCry ransomware attack roiled the British National Health Service, going so far as to disable CT and MRI machines used for crucial diagnostic procedures. Another ransomware attack, called Bad Rabbit, recently started spreading around Eastern Europe with the potential for similar damage.
Physicians are often quick to embrace the latest high-tech tools, and it is no secret that technologically advanced hospitals can have a competitive advantage in attracting patients and recruiting talented staff. But even a superficial study of some of the risks of these connected devices reveals how poorly understood they really are and how easily they can be compromised.
Take robotic surgical systems. As a test, researchers at the University of Washington in 2015 hacked into and maliciously controlled the Raven II Surgical Robot, which can be operated from afar. While the possibility of an evil genius commandeering a robotic surgical system seems a bit far-fetched, malware reportedly slowed down fetal monitors used on women with high-risk pregnancies at one hospital.
There is no doubt that benefits of the “connected hospital” are substantial. Human error can be a major contributor to patient harms and could potentially be reduced by using smart devices, say to prevent the delivery of a harmful dose of medication. Faster information flow from these devices can provide vital information at a once-unimaginable rate. Smart devices can incorporate advanced monitoring and safety routines. And doctors can use networked technology to get real-time feedback on performance metrics: a surgeon, for example, could remotely observe and provide real-time guidance during an operation. What’s more, remotely operated robotic surgery systems could give patients lifesaving care in areas of the world where few surgeons are working. However, the fact remains that advanced devices come with advanced risks.
To date, malicious cyberattacks on medical devices have not caused serious harm to patients. The potential however, is real. In a move that recalled a major plot point in a 2012 episode of “Homeland,” the Food and Drug Administration recently approved the recall of nearly 500,000 Abbott pacemakers to address the risk of patient harm due to exploitation of cybersecurity vulnerabilities. While an attack scenario that targets these pacemakers is unlikely, sabotaged medical devices could easily throw the disjointed American health care system into disarray, potentially harming millions of men, women, and children who rely on these devices. And given the high stakes of many medical procedures, the consequences of such attacks on networked devices could literally be lethal.
The FDA has recently begun to address the issue of cybersecurity in medical devices, and over the summer Congress began considering legislation to ensure that manufacturers make embedded systems conform to information security standards. So far, though, security has not yet become part of the formal approval process for medical devices, and current hospital accreditation standards don’t require hospitals to secure embedded systems. A recent industry survey found that more than 90 percent of health care information technology networks employ networked devices. It also found that 70 percent of hospital information technology decision makers incorrectly believe that the same software security tools used to safeguard computers and servers work for these devices.
In other fields, it is relatively straightforward to follow the Cybersecurity Framework released by the National Institute of Standards and Technology. This consists of five functions: identification, protection, detection, response, and recovery. Traditional connected devices are easy to locate and identify because they remain in one place for the duration of their use. Likewise, protection can consist of preventing access to them from an external network, and if security tools detect a malware infection, they can be taken offline to prevent the infection spreading to other devices.
The challenges of securing devices in a health care setting are substantial. Unlike industrial systems and security cameras, many medical devices must be moved throughout the hospital and even, in the case of devices like pacemakers, taken home. This mobility makes it difficult to locate the device on the network, which makes monitoring for attacks more challenging. In addition, we rely on these devices to function safely and reliably in all situations. Since lifesaving devices must continue functioning despite a malware infection, responses to a detected infection must first focus on patient health, then on preventing an attack from spreading.
Another difficulty is that health care devices not currently in use may be needed at a moment’s notice, such as an emergency department’s CT machine. While patches provide important security updates, they require the device to be out of use for the duration of the installation process. This means that the timing of an upgrade must be chosen carefully. Software systems can automatically install security updates over a network connection, relieving hospital personnel of the task, but these must be implemented with safeguards in place so as not to risk downtime when devices may be required.
These challenges are large but not unsurmountable. Stakeholders are starting to support security improvements and regulators are increasingly acknowledging these issues. For example, in response to concerns that installing security updates to devices would require companies to repeat the labor-intensive process of getting them re-approved, for example, the FDA recently took steps to reduce regulatory barriers around installing security patches.
That advanced medical devices bring with them advanced risk does not mean that we take connected devices offline or halt technological advances. There is too much opportunity for connected devices to benefit patient care to wait for devices to be perfectly secure. But as we become ever more reliant on networked high-tech medical devices, we need to make sure that devices security is recognized as being on par with device reliability and safety.
Rather than waiting for adverse events and reacting reflexively, health care providers, hospitals, regulators, and even patients should understand that these risks exist, learn from other fields, and take steps to systematically and proactively improve the safety of this important class of medical devices.
Alexander P. Cole, M.D., is a physician in the Division of Urological Surgery at Brigham and Women’s Hospital and Harvard Medical School in Boston. M. Carlton is vice president of research at Senrio, Inc., an embedded systems security company based in Portland, Ore. Quoc-Dien Trinh, M.D., is a physician in the Division of Urological Surgery at Brigham and Women’s Hospital and Harvard Medical School in Boston.
I agree security needs to be improved on Hospital Networks, and this is a problem especially in America, but can be anywhere really there are two common problems I see I will talk about openly here while Technology is a great thing it can be misused by bad people.
1.) Ransomware is just what the public hears about, this can make it into hospital security very easily, often you will see Nurses behind the counter, or in Rooms that leave the patients in the room with Open USB Ports on many computers, this means that anyone can plug in a USB device, and load a ransomware virus onto the computer, or worse of all a (RAT) which can be used to steal patients information, and possibly infect other computers on the network.
This information can be transmitted remotely possibly through the hospitals own netowrk outside, or wirelessly if they use a USB computer, although Hospital generally have two seperate networks a Intranet, and Internet for public use like free wi-fi, it doesn’t make anything secure really.
And looking at all the Encrypted systems like “Heart Monitors” “IV” devices imagine what could happen if others could remotely access these types of devices and harm the patients its something I fear of myself.
Also the Physical Security in many hospital facility is pretty dam* bad meaning anyone with any technical knowledge can clone RFID cards used to move around a facility, and do bad things (without going into details), and often visitors of hospital are not even screened that is the worst fear.
It’s not limited to hospitals though, but doctors offices, and other places often leave patient records up on the screen when the next person comes in someone can take a picture on their phone, edit the information while no one is looking, or of course stick in a USB stick into a free slot which is even worse because Millions OF Americans have their identity stolen by other people. (This could be true for outside America too) but as I have no experience with outside America I can’t comment on this although I would assume it could be the same.
I hope this will bring some light on the people who work these departments to increase security, and take cybersecurity more seriously.
“There is no doubt that benefits of the “connected hospital” are substantial.” This statement and the paragraph that follows represent enthusiasm for technology that seldom manifests in the real world. Since finishing training in the 80’s I have been eager to have IT assistance in providing patient care. Though far afield of the present topic, I’ll just leave it at the fact that overall benefit has been paltry compared to perceived potential.
There is an arms race going on in the digital and networking worlds, some fueled in part by our government. This race shows no sign of abating. It involves “smart” devices in the home to cell phones of government officials and virtually any computer. Even air gaps are not entirely foolproof.
So yes, technology and digital evolution has great potential for medicine. The current article merely suggests we enter the arms race. History indicates real world results will likely be considerably less than enthusiastic projections and new risks are certain to ensue. The margin of benefit afforded by such tech, especially networking, must be weighed with great caution.
As for the appeal of high tech to patients, it is capitalism and advertising at work; and further substantiates the idea that many entities providing healthcare will sell anything they will be paid for- be it ‘integrative medicine’ or nonsuperior high priced robotic surgery.