When computer hackers breach a hospital system, they work quickly to find valuable patient medical records to smuggle out, while also infecting other computers that might harbor valuable data or protect their unauthorized network access.
The hackers don't directly target patients. But a first-of-its-kind sting operation, set up by a private security firm called TrapX Labs, recently documented how financially motivated computer hackers attacking a decoy hospital network can make changes in networked devices like CT scanners in ways that can compromise patient safety. The hospital network was fake, but attackers were real, TrapX said.
"They obviously understand that medical devices have less security. We saw them fairly immediately go after those medical devices," TrapX marketing executive Ori Bach said.
Protecting against cyber intrusions is a top-of-mind concern at real-world hospitals across the country. This week a group of about 100 security officials from medical device companies, hospitals and security firms gathered at Medtronic's Mounds View complex to discuss ways to manage the security of networked medical devices in hospitals, as part of the annual Cyber Security Summit series.
The meeting followed publication of the Food and Drug Administration's medical device safety action plan. The report revealed that the agency is considering plans to require that vendors ensure software in medical devices can be updated and provide hospitals with a "software bill of materials" that discloses all of the native software contained in device.
Lacking such a requirement today, cybersecurity experts at Minnesota's Mayo Clinic described their hands-on approach to device security during presentations at Thursday's meeting in Mounds View. Before the clinic buys a new medical device, vendors must fill out detailed questionnaires to make sure products meet minimum cybersecurity standards.
Mayo also works to see if the product conforms to industry best practices, like removing software development tools used during the device's design process, since those tools can be helpful to attackers. Mayo employees sometimes work directly with device makers to ensure they take basic security steps such as closing off access to unused ports in a device's configuration file, like a keyboard port for a device that has no keyboard.
"I'm going to be honest — we haven't found one yet that doesn't need any attention," Debra Bruemmer, a senior manager in clinical information security at Mayo, said Thursday.