Cyberattacks May Target Health Care Systems: Vulnerabilities of Medical Devices and the FDA’s Reaction

Monday, September 14, 2015
By Michael L. Smith, R.R.T., J.D., Board Certified by The Florida Bar in Health Law


Recently, major news sources covered a demonstration cyberattack on an automobile that was carried by researchers from Wired Magazine.  The demonstration showed how the car's onboard computer was vulnerable to a remote cyberattack potentially leading to disastrous consequences.  The manufacturer of the vehicle in the demonstration quickly announced a recall of approximately 1.4 million vehicles in order to perform software updates.  To go to their website and find out more, click here.

One of the experts discussing the Wired Magazine demonstration identified cyber vulnerabilities of medical devices as a greater concern than the cyber vulnerabilities of automobiles.  


Cybersecurity Vulnerabilities.

On July 31, 2015, just 10 days after the Wired Magazine demonstration, the Food and Drug Administration (FDA) issued a warning to all health care facilities using older versions of the Hospira Symbiq Infusion System stating the system was subject to cybersecurity vulnerabilities.  According to the FDA, the systems could be accessed remotely through a hospital's network allowing an unauthorized user to change dosages administered by the pump.  To read one of our blogs on a recent cyberattack on a hospital network, click here.

The timing of the FDA announcement appears to be entirely coincidental and the vulnerability of medical devices to cyberattack has been a concern for several years.  In a 2011 demonstration, an insulin pump was hacked and directed to deliver a lethal dose of insulin.  In another demonstration about a year later, an implantable pacemaker was hacked and directed to deliver a potentially lethal shock.  

The FDA has issued multiple warnings about cyber vulnerabilities in medical devices and in hospital networks.  Even the Department of Homeland Security (DHS) has a division, The U.S. Computer Emergency Readiness Team (US-CERT), which analyzes cyber vulnerabilities in all areas including vulnerabilities in medical devices.  To read about another case of cyberattack targeted at health care, read a previous blog I wrote here.


Hacking Medical Devices.

To date there has never been a confirmed cyberattack on a patient's medical device in an attempt to injure or kill the patient.  However, at least three cyberattacks of medical devices that resulted in data breaches have been reported.  In each of those incidents, the medical devices had been infected with malware, which allowed unauthorized individuals to access the hospitals' networks.  
The motive for these cyberattacks appeared to be to steal the confidential patient information contained on those networks, and not to kill or injure a particular patient.  Medical records are extremely valuable on the black market so it is not surprising that hackers are looking for any route possible to access and steal those records.  The hacking of medical devices is currently the easiest route for hackers to use in inappropriately accessing medical records. Click here to read the FBI's warning to health care sector vulnerable to cyberattacks.


How Do the Hackers Do it?

In one reported incident, three arterial blood gas analyzers were discovered to be infected with malware.  The malware made it possible for unauthorized individuals to access the hospital's computer network and install other malware.  The attack resulted in confidential information being sent to Europe.  The hospital involved was not able to detect the malware through their own network protections because the malware was on the software of the medical device.

In the other two incidents, the system each hospital used to store and transmit diagnostic images was infected again by malware.  The malware allowed unauthorized individuals to remotely access confidential patient information maintained on each hospital's system.  The confidential information obtained in those instances was sent to China.  Again, the hospitals were unable to detect the malware with their own security measures because the malware was on the software of the medical device.


Preventing Unauthorized Modification of Medical Devices.

These incidents should not be a surprise to medical device manufactures or to hospitals.  In 2013, the FDA issued a Safety Communication identifying medical devices infected with malware as a major cybersecurity vulnerability.  The FDA advised medical device manufacturers that they were to remain vigilant in identifying cybersecurity risks associated with their devices.  The FDA recommended that manufacturers make sure appropriate safeguards were in place to prevent unauthorized access, or modification of medical devices. Click here to read the Safety Communication from the FDA.

Hospitals and medical device manufacturers should re-examine the FDA's warnings about the cybersecurity vulnerabilities of medical devices and hospital networks.  Those hospitals and medical device manufacturers should also re-examine their security systems to ensure that they are protected from cyberattacks, including attacks by malware associated with medical devices.
 

Comments?


Do you think the FDA and DHS are doing enough to prevent cyberattacks? Please leave any thoughtful comments below.


Contact an Experienced Health Care Attorney.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigations and defending alleged HIPAA and FIPA complaints and violations and in advising on data breaches.

To contact The Health Law Firm, please call (407) 331-6620 or visit our website at www.TheHealthLawFirm.com.


About the Author: Michael L. Smith, R.R.T., J.D., is Board Certified by The Florida Bar in Health Law. He is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com He is also a registered respiratory therapist with decades of hospital experience.
The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.


Sources:

Goodin, Dan. "Insulin pump hack delivers fatal dosage over the air." The Register. (Oct. 27, 2011).
Kirk, Jeremy. "Pacemaker hack can deliver deadly 830-volt jolt." Computerworld.(Oct. 17, 2012).
FDA Safety Communication. "Cybersecurity for Medical Devices and Hospital Networks." (June 13, 2013).
FDA Safety Communication. "Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System." (July 31, 2015).
Higgins, Kelly Jackson. "Security firm discovered malware-infected medical devices in three hospitals hit by data breaches." Dark Reading. (June 8, 2015).


KeyWords: Cyberattack of medical devices, cyberattack vulnerabilities, cyber vulnerabilities, medical devices, cyber vulnerabilities of medical devices, cyber vulnerabilities of hospital networks hacked medical devices, data breaches, breach of privacy, breach of medical privacy, Food and Drug Administration, attorney, FDA, Department of Homeland Security, DHS, U.S. Computer Emergency Readiness Team, US-CERT, medical devices infected with malware, malware to hack medical devices, hacking of medical records, confidential patient information, modification of medical devices, malware associated with medical devices, data breach defense attorney, health care lawyer, health law attorney, The Health Law Firm reviews


"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

 
9/14/2015

Like this blog? Add your public comments:

Items in bold indicate required information.