×

As more medical devices incorporate wireless capabilities and complex software, they grow increasingly vulnerable to hackers, malware, and other forms of cyber attack.

In an episode of the popular television series “Homeland,” the vice president of the United States gets assassinated when a terrorist organization wirelessly hacks his pacemaker.¹ The scenario depicted in the show is not so far-fetched. Five years earlier, Dr. Jonathan Reiner, cardiologist to then U.S. Vice President Dick Cheney, had the wireless capability on Cheney’s pacemaker disabled for fear terrorists might send a signal to the device, telling it to shock his patient’s heart into cardiac arrest, according to “60 Minutes.”

While no deaths due to pacemaker hacks have been reported, the potential for an individual’s life to end that way exists. The late security researcher Barnaby Jack discovered a way to remotely disable pacemakers. And while studying implantable cardioverter defibrillators (ICDs), Jack found a way to remotely deliver an electrical shock strong enough to end a patient’s life. He never had the chance to demonstrate his ICD discovery because he passed away days before he was scheduled to show it at the 2013 Black Hat security conference.

Individuals with heart problems aren’t the only ones who need worry about the security of medical devices. At the 2011 Black Hat conference, security researcher Jerome Radcliffe demonstrated how he could wirelessly hack into his insulin pump (he’s diabetic) and manipulate the amount of insulin it administered.

“Those and other recent demonstrations of medical device vulnerabilities have raised concerns among patients, health care providers, medical device manufacturers, regulators, and lawmakers about the security of networked medical device products,” says Russell Jones, a partner with Deloitte & Touche LLP’s Security & Privacy practice.

Currently, hundreds of thousands of devices including patient monitors, infusion pumps, ventilators, and imaging machines reside on hospital networks across the U.S., and even more are accessible via wireless technologies, Jones notes. Because these devices are networked and run complex software, they’re vulnerable to attack.

“Networked medical devices are transforming health care, but they also potentially expose patients, hospitals, and health systems to serious safety and security risks,” says Jones.

A range of scenarios have security leaders at health care provider organizations on alert. They’re obviously concerned about malicious individuals targeting specific patients and disrupting patient care. They’re also worried about hackers who may exploit software vulnerabilities in medical devices to gain access to provider networks, according to Mark Ford, a principal with Deloitte & Touche LLP’s Security & Privacy practice. Such intrusions could lead to exposure or theft of patient personal health information, financial fraud, identity theft, and Medicare or Medicaid fraud.

Intentional targeting of medical devices—whether for the purpose of hurting specific patients, gaining unauthorized network access, or gaining unauthorized access to personal health information—has yet to rise to the level of imminent threat among leaders at health care providers. But they increasingly have to address garden-variety security issues affecting medical devices that have interrupted patient care. “One hospital had to take its entire patient monitoring system offline for several hours after discovering it was infected with the Conficker virus,” says Ford. “Another hospital had to do the same thing when it discovered its automated medication management dispensing system had been hit with malware.”

Networked medical devices are vulnerable to malware and “cyber tampering” for a variety of reasons. Bruce Murphy, a principal with Deloitte & Touche LLP’s Security & Privacy practice, indicates that critics of medical device companies allege the manufacturers don’t pay sufficient attention to cyber security when designing and developing their products. When security issues are discovered, they often go unpatched—either because the device maker doesn’t release fixes or because health care providers don’t apply them. In other cases, devices may be vulnerable if the networks they’re on are misconfigured.

“Manufacturers and health care providers will need to share accountability for medical device cyber security and privacy,” says Jones. “Manufacturers can focus on integrating security into product development and support, while providers focus on network security, patch management, and day-to-day device operations.”