Are Patients the Next Cyberattack Targets?

Jen A. Miller

September 13, 2019

When Vice President Dick Cheney received a new defibrillator in 2007, his doctor disabled the device's wireless capabilities so that it wouldn't be vulnerable to terrorist attacks.

"I worried that someone could kill you," his cardiologist, Jonathan Reiner, told him years later on CBS' 60 Minutes.

While healthcare systems have focused on warding off threats from malware and ransomware, a more insidious way to create havoc is gaining attention: hackers targeting patients by changing or disabling network-connected medical devices and diagnostic test results. Earlier this week, the US Food and Drug Administration (FDA) held a meeting to highlight the potential dangers.

Such concerns have a history. In April 2018, the FDA recalled 465,000 pacemakers because of security vulnerabilities and insisted the manufacturer issue software fixes. Last fall, the FDA issued a safety alert about other cardiac device programmers due to hacking concerns. And in June of this year, the FDA issued a warning about some insulin pumps after they were recalled because of their potential to be hacked. If they gained access, hackers could change the insulin dose, give a bolus dose, or stop an infusion, turning insulin pumps into lethal weapons.

To date, there have been no reports of patients being harmed by hacked cardiac or insulin devices. But the number of lives that depend on such devices continues to grow, as does the interconnectedness of such devices with other systems, such as physician and hospital networks that collect and analyze patient data. A typical hospital bed has 10 to 15 wirelessly connected medical devices. The exploitability is a particular risk for legacy devices, which might include MRI and CT scanners, ventilators, dialysis machines, and anesthesia workstations, which can be so old that patches aren't available to close security gaps.

We can only guess whether healthcare hackers will change their tactics and go after patient medical devices. What's often buried in this conversation, however, is that an unsecured medical device isn't just a threat to patient well-being — it can serve as a conduit to the network it's connected to, a sort of "back door" access to stealing patient health data or even shutting down entire networks.

Door's Open, Come On In

Imagine a hospital getting an online message stating that hackers have altered a number of their CT scans, and are now demanding $1 million in Bitcoin to undo the damage. We could be moving closer to this reality.

Cybersecurity researchers (sometimes called "white hat hackers" ) are exposing healthcare's massive vulnerability to this new breed of cyberattacks. Yisroel Mirsky, PhD, and colleagues from Ben-Gurion University in Israel recently demonstrated how simple it would be for hackers to maliciously alter the trajectory of a person's health.

The researchers covertly gained physical access (with permission) to a hospital's radiology department and planted a device that successfully intercepted CT scans before being read by the radiologist. They used deep learning software to tamper with the images by adding or removing evidence of cancer. The outcome was so realistic that both expert radiologists and state-of-the-art cancer screening technology were fooled (see before and after scans). It was fast, efficient, and anonymous. An attack of this nature could also be done remotely, without setting a foot inside the hospital.

But why mount an attack like this? Many motivations have been proposed. A hacker's goal might be falsifying research evidence, sabotaging a competitor, or committing an act of terrorism or murder. But if these scenarios seem unlikely, consider what a hacker could do for personal gain. Altering his or her own diagnostic imaging, for example, could facilitate insurance fraud that would be difficult to detect.

At the moment, hackers are still primarily focused on ill-gotten financial rewards, and "have yet to figure out how to monetize breaking into a medical device," said Ryan Witt, a managing director at Proofpoint, a healthcare cybersecurity firm. One of the firm's studies found a 473% jump in email fraud attacks at healthcare organizations from the beginning of 2017 to the end of 2018. Examples include fake invoices from "known" associates or requests for protected patient information.

Stolen electronic health records can bring a fortune on the black market, and hospitals have received ransom requests after their systems were hacked. Even if individual patients aren't the ultimate target, hacking into their personal medical devices could open a backdoor into a hospital's networks, inviting cyber criminals in to stage a widespread and more lucrative attack.

Has a Medical Device Cyberattack Happened?

Medical devices malfunction all the time, and such malfunctions can lead to serious injury or death. But no incidents have been confirmed as the result of a cyberattack.

"That's not to say it can't be done," cautioned Suzanne Schwartz, MD, MBA, a deputy director at FDA who leads the agency's efforts in medical device cybersecurity. The potential for patient harm is significant, she added.

But clinicians don't really have the tools — or even the level of suspicion — to assess whether an attack has taken place, said Jeff Tully, MD, anesthesiologist and cofounder of the CyberMed Summit, a symposium designed to prevent healthcare attacks and protect patient safety. "Most clinicians don't know what a compromised device would do to a patient," he said. "How can you detect something that you're not even looking for?"

Healthcare systems should not wait to take preventive steps until there is proof that hackers are targeting medical devices, he said. "The theoretical risk that has been demonstrated in the security research arena should be enough for clinicians, hospitals, medical device manufacturers, and regulators to take this issue seriously," said Tully.

In fact, malware infections can spread quickly in healthcare systems, and they won't stop when encountering a personal medical device, he added. "These ransomware attacks don't really care who they're targeting, so medical devices could just be swept up in them."

The FDA appears to share those concerns. The agency has released security guidelines for medical devices in collaboration with clinicians, device manufacturers, academics, patients, and other government entities. FDA official Schwartz describes it as "a living document."

"The docket remains open and you can comment at any time through the lifetime of the guidance," she said.

An Uncomfortable Truth

So what should clinicians be looking for? An unexplained device failure, abnormal device functioning, or signs of physical tampering with a device should prompt a call to a hospital's biomedical engineering and information security teams "so that devices can be analyzed with the relevant forensic and diagnostic tools," said Tully, who believes that more awareness and understanding about how cyberattacks are carried out is essential.

"The uncomfortable truth is that awareness may not arrive until it is too late," he said, "which is to say there may be minimal or no signs of a device compromise until a catastrophic safety event has already taken place."

Cybersecurity should be discussed with patients when explaining the purpose of a medical device, said Marti Jordan, MD, PhD, a visiting assistant professor at the University of Southern Mississippi. Patients should understand that any internet-connected device is vulnerable to hacking, and should be advised against connecting devices to public, nonsecure, or free Wi-Fi networks. She also tells patients not to use the default passwords that come with the device and instead create a strong password and change it often. Patients should install security patches as they become available, she said.

Some experts note, however, that "patches" may involve invasive procedures, so the solutions are not always obvious. The American College of Cardiology issued a statement last year in response to the recalled and updated pacemakers, writing, "Most believe the risk of the software update is far outweighed by the theoretic risk of a cybersecurity breach."

A lead author of that paper told Medscape Medical News at the time, "The hypothetical scenario of a rogue hacker getting into someone's device, turning off the pacemaker, or turning off the defibrillator capability, I think is just the soap-opera take on it. Other than that, I don't think there's any real substance to it."

The authors did warn that remote monitoring networks linked to personal devices might be more vulnerable, and that cybersecurity concerns should not be brushed aside.

Security expert Witt said he's seen a shift in the medical culture about taking cybersecurity concerns more seriously. "For the longest time, we were guided only by HIPAA," he said. "Now, more and more health IT experts are talking about cybersecurity as it pertains to the Hippocratic oath — to 'do no harm.' "

Follow Medscape on FacebookTwitterInstagram, and YouTube. Here’s how to send Medscape a story tip.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.