Privacy & Security

Medjacking: The newest healthcare risk?

If you're looking for trends in cyber-crime, it's best to follow the money
By Mahmood Sher-Jan
September 24, 2015
05:48 PM

In early August, Popular Science reported an FDA safety warning against an infusion pump used in hospitals. According to the FDA, a type of pump used to administer IV fluids is vulnerable to cyber-attack, potentially putting patients' lives at risk. The article points out that, in an episode of the TV series Homeland, hackers killed the U.S. vice-president by hacking and disabling his pacemaker.

While that kind of attack is a great plot device for a TV drama (and makes medical device security an entertaining topic for Popular Science), the wider security threats posed by medical devices are both more mundane and potentially more destructive. Healthcare information is being exposed in more places every day, creating new risks for patients, providers, payers, and other organizations. In this article, I'll look at how medical devices fit into the risk profile.

[See also: Threat matrix: Malware and hacking pose dangers to medical devices ]

Computer Science Zone reports that there will be 25 billion connected smart devices in use in the next five years (there are almost 5 billion already). A significant portion of these will be medical devices, from pacemakers to drug pumps, mobile medical workstations, in-home monitors, and personal fitness devices. A recent article in WorldNow proclaimed, "It may sound like a science fiction novel, but medical devices could someday be the target of hackers." But the fact is that these devices are already being hacked, a trend that is alarming hospitals and other healthcare organizations. In fact, this kind of hacking is already widespread enough to have a new name: medjacking.

Tiny keys to big doors
It's true that hackers could tamper with medical devices to harm individuals, but thus far these devices are being hacked to unlock portals into larger medical systems and steal protected health information. In June 2015, security company TrapX released a report showing that the majority of healthcare organizations are vulnerable to medical device hijacking (a term they shortened to "medjacking"). The report also detailed incidents of medjacking in three hospitals. In one, a blood gas analyzer infected with two different types of malware was used to steal passwords to other hospital systems, and confidential data was being sent ("exfiltrated," in hacker parlance) to computers in Eastern Europe. In another hospital, the radiology department's image storage system was used to gain entry to the main network and send sensitive data to a location in China. In a third hospital, hackers had installed a back door in a drug pump to gain access to the hospital network.

While national security agencies are no doubt preparing for the cloak-and-dagger scenario of medjacking against an individual, if you're looking for trends in cyber-crime, it's best to follow the money. In an earlier article on the economics of cyber-crime, we pointed out that stolen medical identities can bring in many times the price of a stolen credit card number. In their current state of security, many medical devices offer hackers an easy entry point to steal massive numbers of records from healthcare provider's data systems. The TrapX report quotes its co-founder and vice president Moshe Ben Simon: "Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The medjack is designed to rapidly penetrate these devices, establish command and control, and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution."

Right now, high-volume data theft appears to be the golden ticket for medjackers, but other kinds of attacks are undoubtedly coming. In June 2015, Wired reported that security researcher Billy Rios had written a program that could remotely force multiple pumps to send hospital patients potentially lethal amounts of drugs. Imagine if cyber-criminals were to actually use such a program to create panic, or if they harmed a few patients as a demonstration and then demanded ransom not to harm more.

Device security too slow in coming
Security researchers have been raising alarms about medical device security for several years. In 2012, security researcher Jay Radcliffe made news when he demonstrated the ability to hack an insulin pump using a standard $20 radio transmitter bought from a consumer electronics store. At this point, the FDA has released security recommendations to manufacturers, and, according to Computerworld, even the Department of Homeland security is investigating cyber-security flaws in medical devices.

[See also: Safety demands better device integration]

There are multiple challenges in maintaining medical device security. Many medical devices are built with the VxWorks real-time operating system, the most widely used OS in the "Internet of Things," and, as with any operating system, new security flaws in VxWorks are being discovered and exploited faster than they can be patched. Another challenge, according to TrapX, is that while healthcare IT staff will manage security for hospital information systems, "they can't access the internal software in medical devices, so they have to rely on device manufacturers to build and maintain security on those devices." And manufacturers have not proved quick to address security issues. Rios, the researcher who hacked drug pumps, said in a blog post that, "Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3 [drug pump], though the FDA published an advisory."

Guarding the back doors
The risks with medical devices are likely to get worse before they get better. A hard-pressed healthcare industry is quick to adopt innovative new devices and mobile applications that can lower healthcare costs and improve patients' quality of life, and initiatives like the FDA's Medical Device Home Use Initiative will drive up device use outside the firewalls of hospital and clinic networks. To stay ahead of device risks, healthcare providers need to expand their thinking about PHI protection, to look not just at protecting the data where it lives, but about guarding the doors to the data, including the potentially billions of back doors created by medical devices.

As more instances of medjacking make the news, the medical device industry and regulatory agencies will have to come up with security standards and practices for the devices. At this point, the FDA has only issued recommendations for device security, but regulation is likely coming. Computerworld reports that the DHS Industrial Control Systems Cyber Emergency Response Team  (ICS-CERT) is already "working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment."

With the new attention on medjacking, device security is likely to improve greatly from where it is today. In the meantime, healthcare providers can help improve their own risk profiles by choosing devices with the best security features available (many today don't even encrypt data before transmitting); by pressing manufacturers to adopt security standards and come up with solutions for prompt security fixes and software patches; by segmenting networks to isolate devices from sensitive data sets; and by training patients and staff to use devices in the most secure way possible.

All these measures are vital, but the increase in cyber-attacks over the last few years has shown us that data breaches are inevitable. It's also critical that healthcare providers track new threats as they happen, so that attacks can be identified and isolated quickly. Device attack scenarios also need to be figured into risk management plans. (What if a threat actor did attack individuals through devices? How quickly could such an attack be stopped without further endangering the people dependent on those devices? How quickly can they be notified and told how to protect themselves?) In a recent HIMSS Cybersecurity Survey, 32 percent of respondents listed endpoint security as one of their biggest security barriers, so device security should be included among those endpoints and placed on the radar of a significant percentage of healthcare IT managers.

Medical device security is just one of the new security challenges the healthcare industry faces as information flows from the micro to the macro, from tiny patient implants through medical diagnostic equipment and workstations, provider information systems, and out to massive data centers in the cloud. 

Mahmood Sher-Jan is executive vice president and general manager, RADAR business unit of ID Experts.

Topics: 
Mobile, Network Infrastructure, Privacy & Security, Quality and Safety, Medical Devices

More regional news

VA building signage

House passes veterans healthcare package without RESET Act

By
Andrea Fox
November 21, 2024
David Miles of Oklahoma Heart Hospital

Deep dive: A tour of all-digital Oklahoma Heart Hospital, where automation is the norm

By
Bill Siwicki
November 21, 2024
Healthcare workers looking at X-ray images on monitors

Streamlining healthcare operations with multicloud-by-design

November 21, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

VA building signage
House passes veterans healthcare package without RESET Act

Most Read

Meridian, Mae partner to boost maternal outcomes, lower disparities
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
The future of interoperability: shaped by patient experience priorities and the needs of AI
ASTP intros 2024 draft Federal FHIR Action Plan
VA must strengthen controls addressing EHR performance

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards

More Stories

BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards
Clinicians look at diagnostic imaging
American College of Radiology launches AI quality registry
A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
George Pappas of Intraprise Health on cybersecurity
How to protect telemedicine from cyberattacks