In the past few years, medical devices have become a major target for online criminals. Not only are medical devices considered to be one of the easiest and most vulnerable points of entry into a health care enterprise, they are one of the most difficult areas to remediate even when an attack has been identified. Once infiltrated, hackers can use medical devices to steal patient medical records and personal data from a hospital system. In addition, hackers can manipulate medical devices to harm and even kill patients. In a 2015 report, the cybersecurity firm TrapX reported that it expects targeted attacks on hospitals to continue to increase throughout the remainder of 2015 and into 2016.
According to Reuters, medical data has become more valuable to cybercriminals than credit card data. While credit cards are only useful to criminals until the expiration date or until the owner realizes that the card has been stolen, medical information can be used to establish a fake identity, undertake a line of credit, conduct insurance fraud, or even engage in blackmail. Medical data contains the same information associated with a credit card, but also provides access to social security numbers, dates of birth, addresses, and medical histories. Medical data is considered to be ten to twenty times more valuable on the black market than credit card information.
The report released by TrapX helps to explain why medical devices are such a target for hackers and why even some of the most technologically advanced hospitals struggle to identify and remediate attacks. First, medical devices are generally regarded as “black boxes.” Hospital health information and security teams are generally unable to access these devices without cooperation from the devices’ manufacturers. Therefore, even when a hack is suspected, security teams require the device manufacturer’s support in order to perform an analysis and malware diagnosis. Furthermore, hospitals are somewhat limited in how they may protect these devices. Any cyber protection added to these devices, beyond a patch or software update provided by the manufacturer, could impact the device’s FDA approval.
Once hackers have infiltrated a medical device, they can use the device as a permanent base through which to access the hospital’s network and attempt to steal personal data. In fact, medical records can be pulled out of a hospital through these infected devices. In addition, hackers can use medical devices, like insulin pumps and pacemakers, to launch deadly attacks. A recent report by Bloomberg Business chronicled security researcher Billy Rios’s findings regarding security flaws with medical devices and their potential implications. In an experiment, Rios was able to take over a Hospira Symbiq infusion pump and manipulate the pump’s actions. Rios explained that he could remotely manipulate the machine into dumping an entire vial of medication into a patient. In response to Rios’s findings, the FDA issued an advisory opinion urging hospitals to stop using the Hospira Symbiq infusion pumps. However, similar issues have been detected in a number of other devices. For example, at the Def Con hacking conference, a hacker demonstrated his ability to remotely hack into a pacemaker and cause it to deliver a dangerous shock.
As publicity surrounding these threats continues to mount, the FDA is left with the conundrum of drafting regulations that are specific enough to tackle some of the current issues, but also broad enough to keep up with changing and mutating threats posed by hackers. In the meantime, hospitals and other healthcare providers should prepare themselves to deal with significant HIPAA violations and repercussions should they become the target of one of these attacks.
The Health Law Gurus™ will continue to monitor the issues and rulings surrounding the hacking of medical devices.