According to the Information Security and Privacy Advisory Board (ISPAB), federal agencies need to do more to protect the security of networked medical devices, such as wireless insulin pumps and pacemakers—including strengthening reporting methods for incidents.
The board sent a letter on March 30 to U.S. Department of Health and Human Services, National Security Council, Department of Homeland Security, NIST, and the U.S. Office of Management and Budget outlining key issues.
“With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels,” writes Daniel J. Chenok, chairman of the ISPAB, to Jeffrey Zients, acting director of the U.S. Office of Management and Budget.
Marc Weber Tobias, an investigative attorney and physical security specialist, writes in an April 20 article on Forbes.com that “by 2006, more than half of the medical devices had embedded software. Between 2002 and 2010 there were more than 537 recalls of these systems. The number of actual devices in service was more than 1.5 million.”
This is a significant (although not rampant) figure. However, as hackers become more sophisticated, this vulnerability could become a much more significant problem. For example, in 2011, McAffee, an Internet security firm, successfully conducted an “ethical hack” of wireless Medtronic insulin pump. Security expert and diabetic Jay Radcliffe also hacked his own insulin pump in a live demonstration at the Black Hat security conference in Las Vegas last year.
These two instances alone have shown how wireless insulin pumps can be accessed remotely via the Internet and adjusted to create dangerous levels.
“I see hardware hacking with medical devices in the future,” says Radcliffe. “If somebody gets hurt through a medical device being tampered with and potentially dying, it raises the stakes a bit. If one person were to be harmed, it would be a very big deal. It would be front page news everywhere.”
The real problem, according to Tobias, is the proliferation of software-controlled medical devices that are increasingly available through, and exposed to cyber security risks on, the Internet.
“These risks include a wide spectrum of applications from desktop computers controlling radiological imaging to custom embedded software as found in pacemakers with increased connectivity that offers greater functionality and manageability,” he says. “There are concurrent increased risks of both unintentional interference and malicious tampering conducted with these same communications channels.”
Although computer viruses have infected medical-related computers and devices, there are no security regulations by the FDA (yet)
“Our concern for products is: are they safe and are they effective?’’ states FDA spokeswoman Karen Riley. “We don’t weigh in on security per se, but on measures like encryption that might affect or could have an impact on product safety and effectiveness, we might look at it.’’
Although hacking medical devices to do harm isn’t a major problem yet, it could be in the near future. Even if security isn’t required by the FDA, if a patient dies as a result of the hacking of a personal device you can bet that medical device manufacturer will face an expensive wrongful death lawsuit.
“Protecting systems and patients from malicious third-party attacks is critical because viruses can be spread on a global basis in hours, not days,” adds Tobias. “These devices can be hacked with laptops, high-gain antennas, and relatively simple software. Unprotected wireless links can allow remote control of these devices to load malware and upgrade internal software and firmware.”
ISPAB wants the federal government to collect more data and come up with a way to regulate the problem.
“The point of the letter is to say we really don’t know what this cybersecurity problem looks like,” says Chenok, who is also vice president for technology strategy at IBM Global Business Services. “What’s the size of the issue, and how should the government best tackle it? Right now the data collection is episodic rather than systematic. We want more empirical rigor around reporting, collection, and analysis of medical device cybersecurity incidents and vulnerabilities.”
Some of the suggestions by the ISPAB include:
- Authorize a single entity, such as the FDA, to evaluate cybersecurity “during pre-market clearance and approval of devices, and during post-market surveillance of cybersecurity threat indicators at time of use”
- The U.S. Computer Emergency Readiness Team should define reporting standards for medical device cybersecurity incidents “to incentivize government, providers, and manufacturers to collect cybersecurity threat indicators so that the country is prepared for the inevitable growth in device incident reports”
- Create a collaboration between the FDA and the National Institute of Standards and Technology (NIST) to research cybersecurity features on networked devices that can be enabled by default
- Assign a lead entity to establish better training and education to inform users, health-care organizations, and manufacturers about the risks associated with networked and wireless medical devices
- Study whether additional policy or legislative changes are needed to promote medical device security
“While wireless access to devices and interface with the Internet can markedly improve the delivery of health care, there must be an equal understanding of computing security,” says Tobias. “The medical industry uses software-based devices such as insulin pumps, artificial pancreases, neuro-stimulators, artificial vision systems, programmable vasectomies, smart stents, pacemakers, ICDs, and many others. All this wonderful science has risks which the industry can and must mitigate through vigilance, expertise and modern regulations.”