Code Cyber: Protecting Patients in the Age of Hackers

Today’s physician is more likely to carry a smart device loaded with medical apps than she is a stethoscope. In modern medicine, clinicians increasingly rely on digital platforms for tasks ranging from documenting patient encounters to ordering labs and viewing radiology studies. These essential, life-saving, connected technologies permeate medicine, but they also pose previously unrecognized risk to our patients.

Most clinicians expect medical technology to serve their patients in a continuously reliable, secure manner. Unfortunately, our trust may be misplaced.

Hacks reveal cracks in a vulnerable infrastructure

As two major recent cyberattacks affecting hospitals have demonstrated, the security of medicine’s technologic infrastructure rests on a precarious precipice. In the first, in May of this year, computer systems in hundreds of countries across the world were infected by a virus perhaps aptly named ‘WannaCry.’ A member of a family of malicious programs called ransomware, WannaCry encrypted the information stored on compromised computers. This move rendered the information inaccessible by its victims, unless they paid a sum of money to accounts owned by the hackers who initially distributed the virus. One month later, a similar virus, ‘NotPetya,’ erupted in a similar global fashion.

These attacks spread non-specifically from computer to computer. They affected individual citizens, large corporations, and world governments alike. But, perhaps the most dramatic and potentially catastrophic compromise came when dozens of hospitals in Britain’s National Health System were infected. The results were damaging. Planned surgeries were cancelled, doctor’s visits missed, and emergency rooms were shut down to all but the most seriously ill patients.

Though it’s difficult to fully ascertain the effect on patient outcomes from cyberattacks like WannaCry, researchers have demonstrated that seriously ill patients suffer delays in care — and therefore worse outcomes — from disruptions as simple as road closures during marathons. As such, attacks on hospital infrastructure — whether from malicious hackers looking to avenge perceived abuses, as occurred to Boston Children’s Hospital in 2014, or rogue nation states aiming to destabilize a civilian population — remain a real and ongoing threat to patient safety.

Device risks make hacks personal, and even more dangerous

Although hospital hacks can potentially affect the care of vast numbers of patients at once, even more chilling are the vulnerabilities of implantable medical devices.

“White hat” hackers, who work to uncover and fix problems in code and hardware before they can be used by more nefarious actors, have been finding weaknesses for years. As early as 2011, security researchers reported that insulin pumps, pacemakers, and drug infusion devices can be accessed and manipulated by outside forces, resulting in a takeover of functionality with potentially lethal results.

The threat lies within the wireless connectivity of these machines. More often, devices like these are designed to allow clinicians and manufacturers the ability to pull information from, troubleshoot, and update individual devices while nestled deep within a patient’s body. But, if it’s not properly protected, any system connected to the internet possesses a gateway for digital hijackers to insert code that unlocks, modifies, and ultimately disrupts the machine’s purpose.

It’s true that the literature doesn’t yet contain case reports of patients who have been shocked into cardiac arrest by automated implantable cardioverter defibrillators, or of children crashing into hypoglycemic seizures from compromised insulin pumps. However, evidence of vulnerabilities that could lead to just these scenarios has been convincingly produced in a laboratory settings. As practicing physicians with interest in medical cybersecurity, we believe it’s only a matter of time before we see real patients experiencing real harm, or God forbid, mortality from a targeted cyberattack.

Closing the gaps

How can we protect our patients from a future of cyber morbidity? The first step comes with awareness. As clinicians, we are responsible for constantly educating ourselves to have the most up-to-date knowledge possible. We must learn about the most novel treatments, basic science advances, and evidence based guidelines. Clinicians need to become attuned to the risks and downsides that exist with the implementation of medical technology — not just the benefits and advances they promise our patients.

One powerful way to demonstrate the risk posed to patients is by simulating a cyberattack. At the inaugural CyberMed Summit, a multidisciplinary conference featuring stakeholders across the medical security space, we developed the first clinical scenarios featuring patients presenting with complaints secondary to research-proven medical device flaws. Doctors, hackers, policy makers, medical device manufacturers, and law enforcement watched as unsuspecting community clinicians were forced to deal with compromised infusion pumps, a hijacked defibrillator, and a MVA caused by a hacked insulin delivery device.

Action is occurring at higher levels as well. In 2015, the FDA responded to white hat hackers who disclosed vulnerabilities in a commonly used hospital infusion system with its first ever Safety Communication focusing on cybersecurity vulnerabilities in a medical device. The FDA’s Center for Radiologic Health and Devices, under the leadership of Dr. Suzanne Schwartz, continues to hone pre- and post-market guidance for device manufacturers to ensure that security is a foundational consideration for newly developed devices.

Lastly, the Department of Health and Human Services last year commissioned a Health Care Industry Cybersecurity Task Force to address the key challenges faced by the nation’s hospitals and care providers. In its recently released report, the Task Force found that healthcare cybersecurity is in “critical condition.” This is in part due to a dearth of security professionals, meaningful use requirements that have encouraged hyperconnectivity of medical devices, and legacy devices using systems that haven’t had security flaws patched in over a decade.

Protect yourself!

These efforts are a start, but they aren’t enough. We as clinicians need to add our voice to the burgeoning conversation about how to protect our patients from cyber threats.

Clinicians should also practice cybersecurity “hygiene.” Steer clear of the trap of suspicious emails and develop stronger personal passwords. Frequently update your operating systems, and use validated anti-virus software. Simple practices like these — first steps toward secure solutions — may someday even save a life.

Christian Dameff, MD, and Jeff Tully, MD are physicians, security researchers, and hackers. As international experts in medical cybersecurity they have presented at some of the world’s most prominent hacker forums including Def Con and BSides on various healthcare cybersecurity topics including hacking 911 systems, medical device security, and malware. They are the cofounders of the CyberMed Summit, a novel multidisciplinary conference with emphasis on medical device and infrastructure cybersecurity. Dr. Dameff is currently a clinical informatics fellow at the University of California, San Diego, and Dr. Tully, a pediatrician, is pursuing additional clinical training in anesthesia at the University of California, Davis.

More from Op-Med