Building clinician awareness of potential cyberattacks on medical devices could save patient lives.
Editor's note: This article originally appeared May 6, 2019, on the PSQH website. It has been edited for brevity.
HIPAA may require safeguards for protecting the privacy of personal health information, but it doesn't lay out a specific plan for how healthcare organizations are to protect patients from the threat of cyberattacks.
And these types of attacks aren't slowing down. The Department of Health and Human Services Office for Civil Rights is investigating 22 instances of healthcare provider or health plan data breaches from January 2019 alone.
While data breaches are hugely problematic, healthcare systems worry that hackers may be thinking bigger. For nearly a decade, healthcare professionals and medical device manufacturers have been aware that medical devices, including insulin pumps and pacemakers, can be hacked.
A 2017 Frost & Sullivan forecast on the Internet of Medical Things (IoMT) reports "an estimated 4.5 billion IoMT devices existed in 2015, accounting for 30.3% of all IoT devices globally. This number is expected to grow to $20–$30 billion IoMT devices by 2020." There is an entire spectrum of IoMT-enabled devices, including smart implants communicating information about patients, smart hospital rooms and clinical tools, devices supporting telehealth, and even drone-based emergency response. As this interconnectivity grows, new threats to device security are constantly revealed—but not always resolved.
While IT departments and manufacturers are pushing for patches and security upgrades, the ongoing threat is leading to new demands to build clinician awareness of this problem. If hackers turn from data to deadly consequences, physicians and nursing staff need to be aware that a life-saving medical device could actually be what puts a patient's life in jeopardy.
The need for cybersecurity training for clinicians
The FDA defines a medical device broadly as an instrument, machine, implant, or similar item that is used in diagnosis, prevention, or treatment of a disease, or that affects the structure or function of a body in a way other than chemical action. Should such a device fail to work or become unpredictable in its performance—through a malware attack, for example—there is the potential for life-threatening consequences.
"Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked," commented Russell Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME), in an October 2018 report on cybersecurity.
The CHIME report, conducted in collaboration with KLAS Research, surveyed 148 healthcare IT executives and "found that 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months." While few of these incidents reportedly compromised protected health information, they did seem to shake providers' confidence in these devices. The survey found that only 39% of respondents were "very confident or confident that their current strategy protects patient safety and prevents disruptions in care."
The FDA is aiming to fill in some of those gaps. In October 2018, Scott Gottlieb, MD, the FDA Commissioner at that time, released a statement outlining new resources from the administration aimed at strengthening its medical device cybersecurity program.
"Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted," Gottlieb commented in the statement.
While these devices haven't been directly targeted yet, there is potential they will be. As Gottlieb explained, "Cybersecurity researchers, often referred to as 'white hat hackers,' have identified device vulnerabilities in nonclinical, research-based settings. They've shown how bad actors could gain the capability to exploit these same weaknesses, thereby acquiring access and control of medical devices."
The goal, obviously, is to prevent any such attack from ever occurring. Therefore, in coordination with the MITRE Corporation, the FDA has released a cybersecurity "playbook" for healthcare delivery organizations focused on promoting cybersecurity readiness.
The Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook describes the types of readiness activities that can assist healthcare organizations in preventing a cybersecurity incident involving medical devices. These include steps such as developing a medical device inventory and conducting training exercises.
What clinician cybersecurity training might look like
A team of physicians and computer scientists with the University of California (UC) San Diego, UC Davis, and Maricopa Medical Center in Phoenix demonstrated the need for clinician awareness of cybersecurity risks at the August 2018 Black Hat conference. Christian Dameff, MD, and James Killeen, MD, of the Department of Emergency Medicine for UC San Diego; Jordan Selzer, MD, and Jonathan Fisher, MD, of Maricopa Medical Center's Department of Emergency Medicine; and Jeffrey Tully, MD of UC Davis' Department of Anesthesia and Pain Medicine simulated a simple way to exploit the connection between laboratory devices and medical record systems to modify medical test results.
The team demonstrated a "man-in-the-middle attack," where a computer inserts itself between the laboratory machine and the records system, on a test system they created. The team was able to remotely modify blood test results to indicate that the "patient" was suffering from diabetic ketoacidosis. In the real world, prescribing an insulin drip to a falsely diagnosed patient could lead to coma or death. The researchers also modified the blood test results to indicate that the patient had low potassium, knowing that starting a potassium IV on a healthy patient could cause a heart attack.
Following the demonstration, the researchers provided details to physicians on how to simulate these types of exercises in their own facilities. In an article in the February 2019 issue of The Journal of Emergency Medicine, the researchers lay out their development and execution of three clinical simulations designed to teach clinicians to recognize, treat, and prevent patient harm from vulnerable medical devices.
The team compiled data and conducted interviews with medical device manufacturers to identify three devices with known vulnerabilities: bedside infusion pumps, automated internal cardioverter-defibrillators, and insulin pumps.
Next, they crafted patient scenarios around each of these devices, based on vulnerabilities highlighted either in the media or through security conferences. Simulations were conducted using these scenarios at the University of Arizona College of Medicine-Phoenix, with teams made up of an emergency physician, med students, simulation-trained nurses, paramedics, and patient actors trained in simulation, later supported by high-fidelity simulation mannequins.
In each scenario, the physicians succeeded in reaching the appropriate treatment. Yet in each case, they failed to identify the medical device as a source for the patient's presentation. During the debriefing, the physicians admitted to being completely unaware that a compromised device could be a source of patient harm. Worse, as one physician commented to the researchers during the debriefing, "I would have gone into the next room and grabbed the same pump for the next patient." By not considering that a medical device could be compromised, the physicians also ignored the possibility that all such similar devices could be compromised.
While the researchers admit to the study's limitations, they note that their chief goal is to build awareness that medical devices might not always be reliable. In addition, by recognizing the frailty of the existing medical infrastructure, physicians can push their healthcare organizations to devote greater funding to security spending, or back such efforts if they're already underway.
The researchers are now using their findings to develop medical cybersecurity training for physicians, and the CyberMed 2018 Summit hosted by the University of Arizona College of Medicine-Phoenix provided some insight into how this training might look. Tully, Dameff, and event co-organizers invited fellow physicians to participate in clinical simulations that placed them in simulated emergency situations where they ultimately learned that the systems upon which they depended to care for sick patients were not reliable. The summit also included tabletop exercises, where attendees mapped out responses to a simulated cybercrisis impacting local hospitals.
New responsibility for devices
In a 2015 article from Medical Devices, researchers Patricia A.H. Williams, of the School of Computer and Security Science at Edith Cowan University in Australia, and Andrew J. Woodward, of the university's eHealth Research Group and Security Research Institute, write about smart medical devices, "It is important to note that vulnerabilities were always inherent in these devices, and that it is the exposure to a greater threat landscape, through these network connections, that is responsible for the increased risk. Thus, the responsibility for maintaining device functionality, integrity and confidentiality of information, patient privacy, device and information availability, to prevent adverse effect on patient safety is now shared by manufacturers, healthcare providers, and patients."
Certainly, healthcare organizations must invest in security to protect their patients. But clinicians may also need to shoulder new responsibilities. By considering the possibility that a medical device may be prone to error or worse, clinicians can better fill their roles as frontline responders.
See something, say something
The FDA's medical device reporting program relies on reports of medical device malfunctions to drive safety improvements. Should you notice a safety concern or be involved in a device-related adverse event, the FDA advises taking these steps:
- Recognize when a device malfunctions and stop using it to
prevent possible harm.
- Remove the device immediately and tag it with a label describing the problem.
- Report the incident through the appropriate channels per your facility's policy. If the facility does not have a policy, you can submit voluntary reports about adverse events that may be associated with a medical device, as well as use errors, quality issues, and therapeutic failures, directly through the FDA's MedWatcher mobile app or www.accessdata.fda.gov/scripts/medwatch.
Megan Headley is a freelance writer and owner of ClearStory Publications. She has covered healthcare safety and operations for numerous publications. Headley can be reached at email@example.com
Medical devices are at risk for being compromised by hackers.
Clinicians can detect cybersecurity issues by noticing unusual device behavior.
Mock drills can help clinicians prepare for a cyberattack.