Common Vulnerabilities

 

One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won't be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it's easily accessible to medical staff in an emergency.

 

Hackers can also get into some inadequately protected hospital systems when staff members click on links in emails, not knowing they contain malicious code. Once transmitted to a hospital's intranet, that malware could find its way into unprotected device software and cause malfunctions, said Hoyme and Fu.

 

"If cybercriminals decide they can hack into a device to get health records, they won't think about whether they're messing with device performance: They're going after the money," Hoyme said.

 

Security experts warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.

 

"If your iPhone is compromised, it's a lot more straightforward for someone to determine if it's been tampered with. We're not there yet" with medical devices, said Billy Rios, a former Google software engineer turned security consultant.

 

He describes how he was able to buy a secondhand EKG machine, used to measure the heart's electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.

 

"The effort required is so much lower," he said. "That's not a good position to be in."

 

What Hospitals Are Doing

 

Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.

 

In a two-year test of information security, experts working for Essentia, a large Midwestern health system, found that many devices were hackable. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks and that medical records could be changed.

 

Stephen Curran, acting director of the division of resilience and infrastructure coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity. But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including "routine backups and patching of the systems and the use of anti-virus firewalls."

 

Still, while "we definitely see a trend in hospitals to improve their security," said Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.

 

"The bigger issue is that vendors are not held accountable for writing insecure code," said researcher Rios. "There's no incentive…so they don't invest."

 

Pressure On Vendors

 

A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.

 

At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital's security team, headed by Lessley Stoltenberg, chief information security officer.

 

He says device makers also will have to meet a slew of security requirements: Can the device be encrypted? Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?

 

Some companies, like Ahmadi's Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.

 

While Codenomicon has a number of device makers as customers, those are a fraction of the more than 6,500 medical device manufacturers in the U.S., some of which may not be doing even the most basic testing. Most vendors are small – 80 percent have fewer than 50 employees – and many are startups without the capital to invest in a security expert.

 

So, could hackers target infusion pumps or ventilators?

 

"Is it possible?" Stoltenberg mused. "Yes. Is it likely? No. No device in the world is absolutely 100 percent secure."