Could Medical Device Security Depend Upon Clinicians?

Building clinician awareness of the potential for compromised devices could save lives

By Megan Headley

HIPAA may require safeguards for protecting the privacy of personal health information, but it doesn’t lay out a specific plan for how healthcare organizations are to protect patients from the threat of cyberattacks.
And these types of attacks aren’t slowing down. The Department of Health and Human Services’ Office of Civil Rights is investigating 22 instances of healthcare provider or health plan data breaches from January 2019 alone.

While data breaches are hugely problematic, healthcare systems worry that hackers may be thinking bigger. For nearly a decade, healthcare professionals and medical device manufacturers have been aware that medical devices, including insulin pumps and pacemakers, can be hacked. While some strides have been made in securing these types of devices, the growing interconnectivity of smart medical devices continues to outpace security.

A 2017 Frost & Sullivan forecast on the Internet of Medical Things (IoMT) predicted the IoMT market will grow at a compound annual rate of 26.2%, from $22.5 billion in 2016 to $72.02 billion by 2021. There is an entire spectrum of IoMT-enabled devices, including smart implants communicating information about patients, smart hospital rooms and clinical tools, devices supporting telehealth, and even drone-based emergency response. As this interconnectivity grows, new threats to device security are constantly revealed—but not always resolved.

While IT departments and manufacturers are pushing for patches and security upgrades, the ongoing threat is leading to new demands to build clinician awareness of this problem. If hackers turn from data to deadly consequences, physicians and nursing staff need to be aware that a ­life-saving medical device could actually be what puts a patient’s life in jeopardy.

The need for cybersecurity training for clinicians

The FDA defines a medical device broadly as an instrument, machine, implant, or similar item that is used in diagnosis, prevention, or treatment of a disease, or that affects the structure or function of a body in a way other than chemical action. Should such a device fail to work or become unpredictable in its performance—through a malware attack, for example—there is the potential for life-threatening consequences.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” commented Russell Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME), in an October 2018 report on cybersecurity.

The CHIME report, conducted in collaboration with KLAS Research, surveyed healthcare IT executives and found that 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months. While few of these incidents reportedly compromised protected health information, they did seem to shake providers’ confidence in these devices. The survey found that only 39% of respondents were confident that their current strategy protects patient safety and prevents disruptions in care. And no one seems quite certain how to increase that confidence level.

The FDA is aiming to fill in some of those gaps. In October 2018, FDA Commissioner Scott Gottlieb, MD, released a statement outlining new resources from the administration aimed at strengthening its medical device cybersecurity program.

“Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted,” Gottlieb commented in the statement.

While these devices haven’t been directly targeted yet, there is a very real potential they will be. As Gottlieb explained, “Cybersecurity researchers, often referred to as ‘white hat hackers,’ have identified device vulnerabilities in non-clinical, research-based settings. They’ve shown how bad actors could gain the capability to exploit these same weaknesses, thereby acquiring access and control of medical devices.”

The goal, obviously, is to prevent any such attack from ever occurring. Therefore, in coordination with the MITRE Corporation, the FDA has released a cybersecurity “playbook” for healthcare delivery organizations focused on promoting cybersecurity readiness.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook describes the types of readiness activities that can assist healthcare organizations in preventing a cybersecurity incident involving medical devices. These include steps such as developing a medical device inventory and conducting training exercises.

The weak link in cybersecurity

“Cybersecurity attacks are inherently unpredictable ‘no notice’ events, with insufficient or inaccurate information in the early stages,” the FDA playbook states. “Healthcare delivery organizations cannot predict the timing, severity, and rapid trajectory of a particular cyberattack. An incident may result in organizational confusion and delays that may adversely affect delivery of care.”

While the FDA puts much responsibility on device manufacturers to provide proper security updates, it also encourages all medical device users, including clinicians, to be aware of potential cybersecurity incidents and appropriate responses. User awareness is especially critical in discovering these incidents, the guide notes, as most cybersecurity issues are found by users who notice unusual device behavior.

Research indicates that people are among the weakest links in cybersecurity, making it critical that organizations raise awareness among end users. The FDA and a multitude of articles advise hospitals to hold annual mock exercises for providers and other hospital staff that integrate lessons learned from publicly revealed attacks.

Medical device manufacturers can help in this training. During the procurement process, healthcare systems can opt to work with manufacturers that will participate in regional medical device cybersecurity exercises. By including manufacturers in these exercises, healthcare organizations can build relationships and define who is responsible for what. For example, the FDA advises healthcare organizations to rapidly report incident details to the manufacturer so that the manufacturer can stop the attack and prevent future problems. These exercises also can help manufacturers refine their own processes for incident management.

What clinician cybersecurity training might look like

A team of doctors and computer scientists with the University of California (UC) San Diego, UC Davis, and Maricopa Medical Center in Phoenix demonstrated the need for clinician awareness of cybersecurity risks at the August 2018 Black Hat conference. Drs. Christian Dameff and James Killeen of the Department of Emergency Medicine for UC San Diego, Dr. Jordan Selzer and Jonathan Fisher of Maricopa Medical Center’s Department of Emergency Medicine, and Dr. Jeffrey Tully of UC Davis’ Department of Anesthesia and Pain Medicine simulated a simple way to exploit the connection between laboratory devices and medical record systems to modify medical test results.

The team demonstrated a “man-in-the-middle attack,” where a computer inserts itself between the laboratory machine and the records system, on a test system they created. The team was able to remotely modify blood test results to indicate that the “patient” was suffering from diabetic ketoacidosis. In the real world, prescribing an insulin drip to a falsely diagnosed patient could lead to coma or death. The researchers also modified the blood test results to indicate that the patient had low potassium, knowing that starting a potassium IV on a healthy patient could cause a heart attack.

Following the demonstration, the researchers provided details to physicians on how to simulate these types of exercises in their own facilities. In an article in the February 2019 issue of The Journal of Emergency Medicine, the researchers lay out their development and execution of three clinical simulations designed to teach clinicians to recognize, treat, and prevent patient harm from vulnerable medical devices.

The team compiled data and conducted interviews with medical device manufacturers to identify three devices with known vulnerabilities: bedside infusion pumps, automated internal cardioverter-­defibrillators, and insulin pumps. Next, they crafted patient scenarios around each of these devices, based on vulnerabilities highlighted either in the media or through security conferences. Simulations were conducted using these scenarios at the University of Arizona College of Medicine-Phoenix, with teams made up of an emergency physician, med students, simulation-­trained nurses, paramedics, and patient actors trained in simulation, later supported by high-­fidelity simulation mannequins.

In each scenario, the physicians succeeded in reaching the appropriate treatment. Yet in each case, they failed to identify the medical device as a source for the patient’s presentation. During the debriefing, the physicians admitted to being completely unaware that a compromised device could be a source of patient harm. Worse, as one physician commented to the researchers during the debriefing, “I would have gone into the next room and grabbed the same pump for the next patient.” By not considering that a medical device could be compromised, the physicians also ignored the possibility that all such similar devices could be compromised. This lack of awareness has major ramifications for patient safety.

While the researchers admit to the study’s limitations, they note that their chief goal is to build awareness that medical devices might not always be reliable. In addition, by recognizing the frailty of the existing medical infrastructure, physicians can push their healthcare organizations to devote greater funding to security spending, or back such efforts if they’re already underway.

The researchers are now using their findings to develop medical cybersecurity training for physicians, and the CyberMed 2018 Summit hosted by the University of Arizona College of Medicine-Phoenix provided some insight into how this training might look. Tully, Dameff, and event co-organizers invited fellow physicians to participate in clinical simulations that placed them in simulated emergency situations where they ultimately learned that the systems upon which they depended to care for sick patients were not reliable. The summit also included tabletop exercises, where attendees mapped out responses to a simulated cybercrisis impacting local hospitals.

New responsibility for devices

In a 2015 article from Medical Devices, researchers Patricia A.H. Williams, of the School of Computer and Security Science at Edith Cowan University in Australia, and Andrew J. Woodward, of the university’s eHealth Research Group and Security Research Institute, point out that the term “cybersecurity” connotes specific challenges: a danger to computer networks and the information they contain. But the potential threats facing smart medical devices create a multitude of previously nonexistent problems. It becomes difficult to diagnose a problem that has never before been faced.

The researchers write, “It is important to note that vulnerabilities were always inherent in these devices, and that it is the exposure to a greater threat landscape, through these network connections, that is responsible for the increased risk. Thus, the responsibility for maintaining device functionality, integrity and confidentiality of information, patient privacy, device and information availability, to prevent adverse effect on patient safety is now shared by manufacturers, healthcare providers, and patients.”

Certainly, healthcare organizations must invest in security to protect their patients. But clinicians may also need to shoulder new responsibilities here. By considering the possibility that a medical device may be prone to error or worse, clinicians can better fill their roles as frontline responders.

See Something, Say Something

The FDA’s medical device reporting program relies on reports of medical device malfunctions to drive safety improvements. Should you notice a safety concern or be involved in a device-related adverse event, the FDA advises taking these steps:

1. Recognize when a device malfunctions and stop using it to
   prevent possible harm.
2. Remove the device immediately and tag it with a label describing the problem.
3. Report the incident through the appropriate channels per your facility’s policy. If the facility does not have a policy, you can submit voluntary reports about adverse events that may be associated with a medical device, as well as use errors, quality issues, and therapeutic failures, directly through the FDA’s MedWatcher mobile app or www.accessdata.fda.gov/scripts/medwatch.

Megan Headley is a freelance writer and owner of ClearStory Publications. She has covered healthcare safety and operations for numerous publications. Headley can be reached at megan@clearstorypublications.com.