The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Cybersecurity and Attacks on Medical Devices
Continuing from our prior post in this three-part series on effectively addressing cybersecurity breaches in medical devices, this second post will focus on specific examples of cybersecurity attacks on medical devices.
Cybersecurity and attacks on medical devices
If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We hear about data breaches affecting the disclosure of personal financial information or breaches into the nation’s military weapons system. But in the context of medical devices, cybersecurity is the process of preventing a breach or unauthorized user from gaining access, modifying, misusing, or denying use to information that is stored, accessed, or transferred from a medical device to an external recipient.[i]
Unlike breaches into military systems, where we trust the government is initiating measures to safeguard the general public from threats and direct attacks, the threat to cybersecurity attacks in healthcare is very real, wide-spread, and right in our backyards. There have been numerous real and fictional examples of medical devices falling victim to a cybersecurity attack. A recent study revealed that ninety-four (94) percent of healthcare institutions reported being victims of cyber-attacks.[ii]
Below are some real-life examples of actual medical devices falling victim to a cybersecurity attack:
- August 12, 2011: Hacking into an insulin pump. While the hacking was done as a presentation at a security conference, the presenter showed how to hack into his own insulin pump, albeit it required security expert knowledge and fairly close proximity to the pump. However, the presentation, even back in 2011, brought back to the limelight whether manufacturers of medical devices were taking the necessary security measures to protect its consumers/patients and the devices from an attack.[iii]
- April 25, 2014: Article explores and/or exposes the vulnerabilities of hospital equipment and their high susceptibility to being hacked, including, but not limited to insulin pumps, defibrillators, and hardcoded passwords in medical devices, used at a large chain of Midwest health care facilities.[iv]
- February 2015: Anthem, Inc. attacked by hackers who obtained data that may have exposed 80 million customers’ personal information. A lawsuit is pending in the Northern District of California, the consolidated complaint alleging that the hackers stole income tax refunds and placed false charges on their credit cards.[v]
- June 1, 2015: Court dismisses claim arising out of a data security breach by Amazon.com (Zappos.com), because the victims lacked standing to sue when they could not identify any specific harm that they had sustained as a result of the a data breach that occurred 3.5 years prior.[vi]
- July 31, 2015: FDA issues alert for healthcare facilities to discontinue the use of Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. In other words, as the FDA’s statement set forth, the Hospira system could be accessed remotely through a hospital’s network, giving an unauthorized user access and control to the device and change the dosage of general infusion therapy the pump delivers.[vii]
- June 2016: Hacker gains access to 397,000 patient records from the internal network of a large database in Georgia, 210,000 patient records from a database somewhere in the Midwest (retrieved from a ‘severely misconfigured network’), and 48,000 records located in Farmington, Missouri.”[viii] The hacker then put the information up for sale at around $485K. This is just one of many recent “ransomware” stories, which is a category of malicious software (“malware”) that encrypts a user’s disk drives and demands some form of compensation in return for critical data held hostage, which have occurred recently.[ix]
For best practices on how to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks, stay tuned for part three of this series coming soon. Read part one of this series on navigating the medical device field and vulnerabilities of medical devices here.
[i] U.S. Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.
[ii] Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare On Horizon, SANS Institute, February 2014.
[iii] Morgan E. Peck, Medical Devices Are Vulnerable to Hacks, But Risk Is Low Overall, August 12, 2011.
[v] Carolyn Purwin Ryan, Cyber Security Vulnerabilities: Is Your Medical Device At Risk?, January 2016.
[viii] Chris Nerney, Hacker puts 10 million stolen health records up for sale, June 30, 2016.
[ix] Health Held Hostage: Ransomware in the Health Care Industry, May 26, 2016.