Medical devices a target for cyberattacks, but how serious is the threat?

"Attack surface" is not a term hospital officials have historically used in debates over which medical devices to purchase.

That's changing quickly. Some networked medical devices are vulnerable to hacking, either intentionally or from lax computer security measures, which makes them weak points in the hospital's "attack ­surface" for hackers in cyberspace.

"Long ago, the medical device, the car, the [power] grid, was not vulnerable to cyberattack because it was a mechanical system. We've long passed the point of adding cyber components," Dan Massey, a manager at the Homeland Security Department, said at a meeting of med-tech security experts in Minneapolis this week. "In our rush to add in new functionality, are we also making sure we have security?"

Last March, the Homeland Security Department disclosed cybersecurity vulnerabilities in some common drug-dispensing machines used in hospitals. Last year, the Food and Drug Administration warned hospitals to avoid a type of drug-infusion pump vulnerable to hacking. Independent researchers continue hacking devices to look for flaws.

A few hospitals have publicly acknowledged being hit with "ransomware" attacks, in which hackers infect a hospital network and encrypt critical files until a ransom is paid. The attacks are often caused by garden-variety e-mail phishing scams, but the FBI has warned hospitals that compromised medical devices would also allow "malicious traffic" to be transmitted through firewalls and into hospital networks.

Thus far, no Minnesota hospital has acknowledged being victimized by hackers, but the extent of such vulnerabilities and attacks in hospitals is a vast unknown — a point highlighted this week at the meeting of security researchers convened by Homeland Security.

"I've never seen this kind of exposure, with this kind of risk, and so little data, in near 30 years of public health practice," said Dr. Dale Nordenberg, executive director of MDISS, the Medical Device Innovation, Safety and Security ­Consortium.

MDISS, which is a public-private partnership, was awarded a $1.8 million Homeland Security grant in November for a project to develop a medical-device risk-assessment platform. Evidence suggests that the program will discover plenty of risk to assess.

Michigan-based med-tech cybersecurity expert Kevin Fu, who spoke at the Minneapolis meeting, provided a copy of an actual analysis of one hospital's inventory of networked infusion pumps.

The result? More than 80 of the unidentified hospital's 116 infusion pumps were vulnerable to compromise, because they were set in a default mode that allowed remote "root" access to the network.

Was that the fault of the pump-maker for distributing a machine in a default mode that allowed external access? Or the hospital's fault, for failing to manage its passwords and machines adequately? What about the regulators who only recently started to come to consensus about the magnitude of the problem, let alone solutions?

"The question we should be asking is, why are these happening in the first place? ... A lot of it boils down to design flaws in the medical devices, and [users] just not checking if the controls are working," Fu said. "It's really basic hygiene. You look at the kind of problems, like remote root access?" Fu chuckled. "I mean, this is not targeted assassination. This is basic. Some of the problems are pretty basic."

"Whatever the numbers suggest, we have real risk," Nordenberg told the meeting attendees on Thursday. "We don't have best-practices today to deal with the consequences of putting more than $30 billion into creating a new digital health care digital infrastructure, which is what [federal agencies] did over the last 10 years, give or take."

Ken Hoyme, a researcher with Minneapolis-based cybersecurity firm Adventium Labs, told meeting attendees about his ­company's work to improve device cybersecurity by creating digital tools and templates that manufacturers could use to create a strict separation between a device's medical functions and its networking systems.

Such a system, known as a separation-kernel hypervisor, is widely used to protect other critical computing and control systems. Adventium got a $2.2 million grant in February from Homeland Security for its medical-device project, Isosceles.

"The concept of using separation architectures — or having a safety architecture where you completely separate the monitors from the things they are monitoring — is not as well understood in the medical device industry," particularly at smaller device companies, Hoyme said. "It's fundamental in things like aviation, nuclear power controllers. It's a basic building block."