Cybersecurity

There have been some wild, if not downright ridiculous examples of security breaches in the news over the last year. 

  1. Remember the vulnerability in a certain low power model FM radio transmitter that allowed hackers to “take over” a radio station and broadcast a rather nasty song about our current commander in chief?
  2. How about the phishing scheme at Moneytree where a hacker impersonating the CEO was able to access payroll records for thousands of employees?
  3. And then there’s the almost daily headline of yet another scam to get people to visit bogus web pages, resulting in stolen identities and profile information.

Cybersecurity threats are costing the American economy billions of dollars every year but when the hacks and breaches step over the line into healthcare, the results can be deadly.  VertitechIT Solutions Architect Steve Merritt is a board member of the Healthcare Technology Foundation and speaks around the country on the threats posed by vulnerabilities in commonly used medical devices.

“In the past, medical devices were an island unto themselves,” says Merritt.  “But today, the advent of electronic medical records systems and the need to transmit health data for diagnostic and financial purposes along a hospital network, have opened up a Pandora’s box of threats … sometimes with potentially deadly results.”

Steve points to the case of a night nurse who hacked into a hospital’s drug protocol system last year.  Nurse Charles Cullen is now serving a life sentence for murdering patients in nine hospitals over a sixteen-year period.

Here’s Steve’s list of some other medical device and software vulnerabilities that could prove tragic, if IT professionals don’t take action now.

  1. Merlin@home implantable cardiac device system could allow a third party to remotely “access or influence communications” between Merlin.net and transmitter endpoints that could drain the battery or send inappropriate electric pulses to patient devices
  2. Surgical Robots – can take remote control of devices
  3. Hospira Symbiq infusion pump - possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it
  4. Cardiac Cath Lab – compromise of PHI
  5. Johnson and Johnson insulin pump - an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reactions, if he or she does not cancel the insulin delivery on the pump
  6. Conficker worm – makes millions of devices that use OTS Windows vulnerable
  7. Smith’s Medical medication safety software – can be comprised and library altered potentially allowing a wrong dose to be administered

So what’s a healthcare IT department to do to mitigate the threats? Here are some suggestions.

  1. Change the procurement process.  Establish proper governance models and embed cybersecurity requirements into assessments of every new device purchase.
  2. Change the asset management process.  The most common attack vector is still people.  Disable all UI that isn’t required, beware remote access tools and disable removable media capabilities.
  3. Change the asset inventory process.  Initiate regularly scheduled vulnerability scans, know what’s out there, address the gaps, work with vendors, and leverage OTS tools.
  4. Change life-cycle management.  Up your virus protection, retire aging components like hard drives, and subscribe to public alert lists.
  5. Implement a patching process.  Hold yourself accountable and stick to a schedule.

The risks are great.  The result of inaction could be deadly. 

Steve Merritt is a national-known expert in medical device management.  He can be reached via email at smerritt@vertitechit.com or on Twitter @HITMerritt.