Medical cybersecurityMedical devices, not only medical records, are vulnerable to hackers
Health organizations have spent millions of dollars to protect hospital computer systems and software from malware, but hospitals today are increasingly equipped with many medical devices linked to Wi-Fi, making the devices a portal to hospital room operations. Infusion pumps deliver measured doses of nutrients or medications such as insulin or other hormones, antibiotics, chemotherapy drugs, and pain relievers into a patient’s body. Although it has yet to happen, it is quite possible for a hacker to infiltrate an active infusion pump on a hospital’s Wi-Fi and change the dosage. Hackers can also use the pump’s network access to inject malware in the hospital’s network systems, giving them entry to patients’ medical records. The records can then be sold to identity thieves.
Healthcare security executives are aware of the threats hackers pose to digital records of patient names, social security numbers, and medical history. Health organizations have spent millions of dollars to protect hospital computer systems and software from malware, but hospitals today are increasingly equipped with many medical devices linked to Wi-Fi, making the devices a portal to hospital room operations. Infusion pumps deliver measured doses of nutrients or medications such as insulin or other hormones, antibiotics, chemotherapy drugs, and pain relievers into a patient’s body. Although it has yet to happen, it is quite possible for a hacker to infiltrate an active infusion pump on a hospital’s Wi-Fi and change the dosage. Hackers can also use the pump’s network access to inject malware in the hospital’s network systems, giving them entry to patients’ medical records. The records can then be sold to identity thieves.
Star Tribune reports that federal health agencies are teaming up with hospitals and medical device makers to develop guidelines to prevent cyberattacks. Much attention has been giving to pumps with Wi-Fi because of their considerable presence in hospitals and clinics.
“Infusion pumps are ubiquitous. At Allina, we have over 3,000 infusion pumps across the system,” said Linda Zdon, director of information security and compliance at the twelve-hospital Twin Cities health system. “Almost every hospital patient at some point has an infusion pump. So it certainly strikes at an area that has a broad application for most patients, and therefore has a significant impact on health systems.”
Alina, Fairview Health Services, and HealthPartners are three Minnesota healthcare companies working with the National Institute of Standards and Technology (NIST) to develop a “use case” for wireless pumps. Chicago-based medical device supplier Hospira, who has an infusion pump currently under investigation by DHS officials for suspected cybersecurity flaws, is also working with NIST to introduce improved standards for infusion pumps. NIST’s goal is to accelerate the introduction of standards that will help protect medical devices against cyberattacks. The first set of recommendations will be issued later this fall. Device makers have insisted that they are developing better secured hospital equipment but hospital executives say the process is too slow.
The federal government should “hold device manufacturers accountable for cybersecurity,” read a November 2014 American Hospital Association letter to the Food and Drug Administration (FDA). The FDA launched its own review of infusion pumps in 2010 in response to 56,000 reports of software defects and related issues. The FDA also hosted its first-ever cybersecurity conference for medical devices last year.
Security analysts for the healthcare industry have compared infusion pumps to the 2014 breach at Target Corp, when hackers accessed data belonging to more than seventy million customers. Those hackers infiltrated Target’s computer records through a vulnerability in a network designed for a heating, ventilating, and air-conditioning (HVAC) contractor. “The infusion pump is to the hospital what the HVAC system was to Target. That is, it becomes the vector to get in,” said Ken Hoyme, a computer-security scientist at Minneapolis’ Adventium Labs.