“Attack surface” is not a term hospital officials have historically used in debates over which medical devices to purchase.
That’s changing quickly. Some networked medical devices are vulnerable to hacking, either intentionally or from lax computer security measures, which makes them weak points in the hospital’s “attack surface” for hackers in cyberspace.
“Long ago, the medical device, the car, the [power] grid, was not vulnerable to cyberattack because it was a mechanical system. We’ve long passed the point of adding cyber components,” Dan Massey, a manager at the Homeland Security Department, said at a meeting of med-tech security experts in Minneapolis this week. “In our rush to add in new functionality, are we also making sure we have security?”
Last March, the Homeland Security Department disclosed cybersecurity vulnerabilities in some common drug-dispensing machines used in hospitals. Last year, the Food and Drug Administration warned hospitals to avoid a type of drug-infusion pump vulnerable to hacking. Independent researchers continue hacking devices to look for flaws.
A few hospitals have publicly acknowledged being hit with “ransomware” attacks, in which hackers infect a hospital network and encrypt critical files until a ransom is paid. The attacks are often caused by garden-variety e-mail phishing scams, but the FBI has warned hospitals that compromised medical devices would also allow “malicious traffic” to be transmitted through firewalls and into hospital networks.
Thus far, no Minnesota hospital has acknowledged being victimized by hackers, but the extent of such vulnerabilities and attacks in hospitals is a vast unknown — a point highlighted this week at the meeting of security researchers convened by Homeland Security.
“I’ve never seen this kind of exposure, with this kind of risk, and so little data, in near 30 years of public health practice,” said Dr. Dale Nordenberg, executive director of MDISS, the Medical Device Innovation, Safety and Security Consortium.
Nordenberg’s group is one of several organizations receiving Homeland Security funding to study and develop tools to combat cyber-vulnerabilities in medical technology. The meeting where he spoke, held in Nicholson Hall at the University of Minnesota, brought together investigators from ongoing security projects in medical devices, cars, important buildings, and the power grid, among others.
MDISS, which is a public-private partnership, was awarded a $1.8 million Homeland Security grant in November for a project to develop a medical-device risk-assessment platform. Evidence suggests that the program will discover plenty of risk to assess.
Michigan-based med-tech cybersecurity expert Kevin Fu, who spoke at the Minneapolis meeting, provided a copy of an actual analysis of one hospital’s inventory of networked infusion pumps.
The result? More than 80 of the unidentified hospital’s 116 infusion pumps were vulnerable to compromise, because they were set in a default mode that allowed remote “root” access to the network.
Was that the fault of the pump-maker for distributing a machine in a default mode that allowed external access? Or the hospital’s fault, for failing to manage its passwords and machines adequately? What about the regulators who only recently started to come to consensus about the magnitude of the problem, let alone solutions?
“The question we should be asking is, why are these happening in the first place? ... A lot of it boils down to design flaws in the medical devices, and [users] just not checking if the controls are working,” Fu said. “It’s really basic hygiene. You look at the kind of problems, like remote root access?” Fu chuckled. “I mean, this is not targeted assassination. This is basic. Some of the problems are pretty basic.”
He mentioned assassination because some device vulnerabilities theoretically allow a hacker to meddle with a specific person’s medical machine and hurt them. But several experts at the meeting agreed that the more plausible risks are that hackers would blackmail a compromised hospital or steal patients’ personal information.
“Whatever the numbers suggest, we have real risk,” Nordenberg told the meeting attendees on Thursday. “We don’t have best-practices today to deal with the consequences of putting more than $30 billion into creating a new digital health care digital infrastructure, which is what [federal agencies] did over the last 10 years, give or take.”
Ken Hoyme, a researcher with Minneapolis-based cybersecurity firm Adventium Labs, told meeting attendees about his company’s work to improve device cybersecurity by creating digital tools and templates that manufacturers could use to create a strict separation between a device’s medical functions and its networking systems.
Such a system, known as a separation-kernel hypervisor, is widely used to protect other critical computing and control systems. Adventium got a $2.2 million grant in February from Homeland Security for its medical-device project, Isosceles.
“The concept of using separation architectures — or having a safety architecture where you completely separate the monitors from the things they are monitoring — is not as well understood in the medical device industry,” particularly at smaller device companies, Hoyme said. “It’s fundamental in things like aviation, nuclear power controllers. It’s a basic building block.”