Last December, the popular Showtime series Homeland featured a surprising plot twist where terrorists wirelessly hijacked the fictional vice president's pacemaker and delivered enough electric shocks to kill him. Was this turn of events unlikely? Maybe. But not implausible.
Indeed, common medical devices – such as pacemakers and defibrillators, as well as other kinds of networked medical equipment used by hospitals – are subject to potential security breaches, either by targeted attack or, more likely, by falling prey to routine malware.
“The threat is omnipresent,” says Dale Nordenberg, co-founder and executive director of the nonprofit Medical Device Innovation, Safety and Security Consortium (MDISS). “We must assume that nearly every device is hackable. The vast majority are vulnerable to malware. Many are vulnerable through poor password management practices.”
MDISS was launched about three-and-a-half years ago, by Kaiser Permanente and the Veterans Administration, as a response to the continuing concerns surrounding the security and interoperability limitations of medical devices, says Nordenberg. The consortium collaborates with more than 40 health care systems to identify issues and define requirements, and convey them to manufacturers of medical devices and other stakeholders, including technology companies and government agencies, like the Food & Drug Administration (FDA), National Institute of Standards and Technology (NIST), and the Department of Homeland Security (DHS).
Nordenberg, who is also president of Novasano Health and Science, a company that delivers services and products to accelerate innovation in health care and life sciences with a particular focus on leveraging the strategic application of information resources, says that while there are some variances – devices that operate on Windows or Linux are likely more vulnerable than those that use less common proprietary operating systems, for example – it should be assumed that “the threat is enormous.”
The move to more interconnected, networked and common technology platforms in health care, while it serves to support great advancement, has also opened the door to the same kind of attacks and malicious code that are seen commonly in many other industries, and on many other types of equipment. “Manufacturers really didn't need to pay a lot of attention to medical device security when they ran on closed loop proprietary networks,” says David Attard, administrative director for health care technology for Harris Health System in Houston (formerly Harris County Hospital District). “As we have pushed for integration of information systems, electronic medical records and inter-hospital information exchange we have had to relook at how devices are managed within our facilities to include consolidating on customer-owned networks – this has created device security and hardware incompatibility issues – before vendors have reacted to developing more secure devices.”
And, the issues may not be isolated only to newer technologies or equipment on an open network. Attard points out that while equipment at risk could include any device that transmits patient information or receives software updates via Wi-Fi over hospital networks, he's seen viruses introduced through vendor demos of equipment connecting to his company's network. This, fortunately, was quickly stopped by an internal policy. However, that does not mean older equipment is immune.
“To me the devices most at risk are some of the more legacy systems that aren't able to be updated as system security patches are available due to conflicts and shutting devices down,” Attard says. This has resulted in his team having to isolate some of these devices, like the legacy cardiology information system, or limit their functionality.
Axel Wirth, distinguished systems engineer and solutions architect for the U.S. health care industry segment at Symantec, says the issue of medical device security came to his attention about four years ago when one of the company's clients suffered a malware outbreak that affected its entire medication delivery system. Since then, he says, “The problem has been very widespread. I haven't met a client without a story to tell.”