You may have watched it on “Grey’s Anatomy” or “The Resident”: A cyberattack shutting down millions of dollars’ worth of critical equipment, leaving lives in danger.
It’s not a far-fetched storyline. These episodes are merely fictionalized versions of an increasingly common fact: hackers are already carrying out successful attacks on medical devices in hospitals. And personal medical devices could be next.
The U.S. Food and Drug Administration warned patients and doctors in 2019 of an insulin pump recall due to cybersecurity risks. The agency also sent out a warning letter in 2017 after it found that certain implanted heart devices could be hacked through their home monitoring systems.
The FDA has spent more than a decade trying to stay on top of the growing number of connected devices as well as the growing risk of cyberattacks on those devices. The efforts culminated with new guidance in 2018, but it is still being tested in the real world.
Hospital Attacks Reveal Health Care Cybersecurity Risks
Hospitals are highly profitable targets for hackers using ransomware. These computer viruses are just what they sound like. They shut down a hospital’s computer network and online medical devices until the hospital pays a ransom.
The attacks target thousands of businesses at a time and the ransoms are relatively small, making it more likely that hundreds of victims will pay up. Hackers may use a barrage of emails and phishing scams to trick just one employee to click on a link that downloads ransomware onto the hospital’s whole network. Cybersecurity experts say the virus may remain hidden for 18 months before it’s found or activated.
In 2016, the SamSam ransomware attack forced Washington, DC- and Maryland-based MedStar Health to shut down operations in 10 hospitals and 250 outpatient centers. Hackers demanded a $19,000 ransom paid in Bitcoin. MedStar refused to pay and suffered days of disruptions until it could repair its network.
Indiana-based Hancock Health was hit in the same ransomware attack. It paid $55,000 to get the hackers to return control of its network. MedStar, Hancock and other targets suffered more than $30 million in losses in the SamSam attack. But federal agents were able to indict two men behind them.
Personal Medical Devices Are Increasingly Vulnerable
Software issues, including security gaps, were the leading cause of medical device recalls for 11 straight quarters through the end of 2018, according to the Stericycle Recall Index. Software problems accounted for 79 medical device recalls in the last three months of 2018 alone.
The FDA has identified software vulnerabilities that could let hackers take advantage of personal medical devices dating back as far as 2008.
In June 2019, the agency identified cybersecurity problems with some Medtronic MiniMed insulin pumps used to control diabetes. The vulnerability could let someone to take control of the pump through other devices that connect to the pump over a wireless connection. They could hit the owner with either too much or too little insulin, debilitating or killing the patient.
At least 11 models of the MiniMed pumps were recalled. The FDA said it was not aware of anyone having exploited the vulnerability.
“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users.”
In 2016, the FDA sent out a warning letter about home monitoring systems for implanted defibrillators. It warned that hackers could use the monitors to control the owners’ heart devices.
The monitors were made by St. Jude Medical, a device manufacturer not associated with the similarly named children’s research hospital. The FDA allowed the Merlin@home monitors to remain on the market, saying the monitoring outweighed any cybersecurity risks.
The following year, the company recalled 465,000 pacemakers that may have had other security flaws.
“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA’s Suzanne Schwartz said in a statement.
But she added that wireless technology and software in medical devices can also offer safer and timelier health care.
FDA Rolls Out a Cybersecurity “Playbook” to Head-Off Medical Device Hacks
In 2018, the U.S. Food and Drug Administration released a playbook to help health care providers prepare for and respond to medical device cybersecurity issues. The guidelines were co-authored by the nonprofit MITRE Corporation.
“Of particular focus are threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns,” the authors wrote in describing its scope.
It’s a game plan for device makers, hospitals and other health care providers to act quickly to minimize problems. But it doesn’t address what an individual patient hit with a cyberattack should do.
The FDA issued its first guidelines on cybersecurity standards for the medical device industry in 2005. It ramped up its cybersecurity program in 2013 with a working group that focused on new cybersecurity dangers.
But the agency has had to scramble just to keep up with changing and emerging threats. In 2008, researchers first used radio signals to trigger an implantable defibrillator into sending potentially fatal electrical shocks.
“The FDA isn’t aware of any reports of an unauthorized user exploiting cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists.”
That same year, the Department of Veterans Affairs began tracking malware found in medical devices. By mid-2016, the VA had recorded 181 cases of infected medical devices.
The FDA has overseen cybersecurity recalls-based hacking concerns since at least 2015. And it believes it’s been able to catch cybersecurity flaws in medical devices before hackers found them. At least, so far.
“The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” then-FDA Commissioner Scott Gottlieb said in a 2018 statement.
But he went on to warn that the “risk of such an attack persists.”