Medical devices, whether an insulin pump inside a diabetic's body or a diagnostic scanner in a hospital, come seeded with cybersecurity vulnerabilities that are becoming more widely known every day.
Some flaws cough patient health information or allow a hacker to spy on a hospital network. In April, hackers tried to crash the Boston Children's Hospital computer system, and last week the Homeland Security Department disclosed a serious security glitch in a machine that safeguards dangerous drugs in hospitals.
Hackers may even attack a patient by switching off an implanted device or causing it to dump a payload of drugs into a patient. "To most people this sounds like fantasy, but we know that this threat is real," Jason Lay, manager of cyberthreat information at the U.S. Health and Human Services Department, said at a public workshop Tuesday in Arlington, Va.
Some of these "cybervulnerabilities" have been known for years, but progress to fix them has been sluggish and uneven. On Tuesday, officials with the Food and Drug Administration aimed to jump-start the conversation by kicking off a two-day gathering of experts from hospitals, devicemakers and computer-security firms for the first national workshop on improving cybersecurity in medical devices.
"I think everyone has a role to play, but frankly, everyone needs to step up. That's what we're not seeing so far," Kevin McDonald, clinical information security director at the Mayo Clinic, said Tuesday at the workshop.
Mayo, it turns out, is among a handful of hospital systems nationally that have staked out aggressive stands on device security.
Last year the Rochester-based provider quietly hosted its own internal "hackathon," in which system employees and outside experts were asked to put about 40 medical devices through the paces and uncover vulnerabilities. New flaws were found, which in some cases led to "deeper dives" with manufacturers to fix the problems. "For the most part, the vendors have been receptive to working with us," said another Mayo employee, chief security analyst Debra Bruemmer, in a panel discussion at the workshop.
The hospital system also starts detailed discussions about cybersecurity with device companies during early purchase-agreement negotiations, which may help aid hospitals nationally by raising the profile of the issue among devicemakers, Bruemmer said.
FDA rules are nonbinding
A report by the Government Accountability Office in 2012 highlighted the fact that the FDA does not assess cybervulnerabilities when deciding whether to approve new devices for sale in the U.S. The FDA has since released nonbinding rules for how device companies can enhance computer security, but it has stopped short of mandating strict rules and procedures like those in place to evaluate the safety of a new drug.
In April, the National Institute for Standards and Technology published a cybersecurity "framework" that lumps health care devices with the power grid and the electronic-banking system as critical national infrastructure in need of far better protection.
The companies that make and sell medical devices say they're aware the problems exist. But keeping flaws out of new devices is tough, and fixing machines already parked on hospital floors or inside patients' bodies is even harder.
"We don't want to use too much power. We have to be concerned about heat and size and space," said Bill Aerts, director of information and product security at Fridley medical giant Medtronic. "We'd like to encrypt things, but it takes up so much power that you have to make trade-offs, in some regard."
Hospitals have not always spoken with one voice in the rare cases where they do openly discuss the unpleasant topic of medical-device cybersecurity.
In the past, hospitals have requested larger devices use off-the-shelf computer software, particularly Microsoft's Windows operating systems. Now hospitals complain that Microsoft has stopped supporting older operating systems still used in aging devices, particularly large scanners. Some device companies write their own software, but they contract the work offshore, which presents different security problems.
"Manufacturers have to understand that their devices are going into a hostile environment," said Billy Rios, a cybersecurity engineer at California network-security firm Qualys. "It has to be rigorous and robust to survive in that environment."