Above: Kevin Fu (front right) and his research group are testing security and privacy of various medical devices, including heart rate sensors, pacemakers, defibrillators, drug delivery systems, and neurostimulators. Photo by Joseph Xu, University of Michigan College of Engineering.
Every device that contains a computer component is open to a cybersecurity attack, and that potential escalates when the device is connected to another device, to an information technology (IT) network, or to the internet. This potential is especially troublesome when it comes to medical devices, because patient care hangs in the balance.
What do developers need to know about possible threats to their medical devices, and how they can keep their devices out of harm’s way? To find out, IEEE Pulse interviewed three cybersecurity experts: Anura S. Fernando, Kevin Fu, and George Gray. Fernando is principal engineer of the Medical Software and Systems Interoperability Health Sciences Division at the global science-safety organization UL, which has developed cybersecurity standards for devices across industries, and has also served as a member of both the Food and Drug Administration Safety and Innovation Act working group and the Health Care Industry Cybersecurity Task Force. Fu, Ph.D., is associate professor of electrical engineering and computer science at the University of Michigan, and chief scientist of Virta Labs of Seattle, Washington, which provides hospitals with safety-conscious cybersecurity software to manage risks on clinical networks (1). Gray is chief technology officer and vice president of software development at Ivenix of North Andover, Massachusetts, which is developing an innovative infusion system to streamline medication delivery and bring legacy technology into the digital age (2).
IEEE Pulse: What are the big cybersecurity threats out there today in terms of the healthcare industry and medical devices?
Anura S. Fernando: I think there are a number of different threats. People tend to think of a sick person connected to a medical device and somebody who hacks into that device to cause harm to that individual. While that’s certainly a viable scenario, it’s not all that common. What is much more prevalent are threats driven by organized crime for financial assets. There is personally identifiable information, such as Social Security numbers, that are in hospital systems and are significant targets; and there’s insurance information that can be used for insurance fraud. There’s also industrial espionage for the purpose of intellectual property theft. If you think about medical devices, the hardware is becoming almost a secondary asset and it’s really the algorithms that are of significant value, so if you can acquire that through hacking the devices and stealing the IT, it’s a pretty simple matter to replicate the hardware and flood the market with copies of products.
There is also a threat from terrorist activity. If you look at some of the recent ransomware attacks, you can see that hospitals can be quite debilitated by ransomware, or any malware for that matter, because it can affect procedures. In some cases, a hospital might have to stop providing healthcare to patients and actually transport them to different facilities. So, let’s say a terrorist pursues a coordinated attack, maybe setting off a bomb in a populated area and then debilitating the healthcare infrastructure in that area. That can have various consequences from a national security perspective.
Beyond those threats, there is also the potential for malicious mischief that involves things like tampering with clinical trials. We tend to think of individual patients being harmed, but if you tamper with a clinical trial, you can have a whole population of patients who have waited for a new drug or a new medical device to come out — potentially to save their lives — and now have that trial set back. That might result in a generation of fatalities.
Kevin Fu: The media plays up the risk of the wily hacker and there is some truth to that, but I think this particular risk is really overplayed. At the end of the day, what we want is safer, more effective medical devices for better patient outcomes, and it’s very difficult to get safety without security. To me, the threat is really about integrity and availability of medical devices to deliver patient care, and some of these devices are so insecure that it’s like breaking down an open door. It doesn’t really take much skill; it’s fairly easy to cause harm; and that’s why I’m concerned about the integrity and the availability.
IEEE Pulse: How are medical devices vulnerable to cybersecurity attacks?
Fu: Ransomware is the risk du jour affecting availability of patient care, and this may not be somebody targeting you, but instead targeting easy prey: the hospitals. Hospitals are more exposed to these kinds of risks because they tend to use very old software, and tend to have complicated systems that can be hard to maintain and therefore allow ransomware to get in. Once that happens, it can affect things like chart data and medical records, and because things are so interconnected, it can affect your device.
I’m also particularly concerned with integrity of medical information, as well as diagnostics and therapeutics. For example, imagine that a computer virus breaks into a medical device and then flips a bit on HIV test results. The damage is to the integrity. What do you think the hospital is going to do, redo all the tests? Another example is a hacker who makes a ransom claim that they have adulterated one database in a hospital’s cancer tests, but they won’t say which one until a ransom is paid. We haven’t seen an imminent threat like that at the moment, but it’s clear that that could change tomorrow.
George Gray: Sometimes hackers go after you because you’re delivering therapy and they want to disrupt that, but other times it’s because they want to use you as an attack vector. For instance, (the department store) Target had a large breach where a number of credit cards were exposed, and the way that (hackers) broke in was through their HVAC system (3). Once they got in there, the HVAC system was trusted by another system, which was trusted by another system, and that eventually led to the credit card numbers. Likewise, a lot of developers think “I’m just making a pump or a patient monitor, why does cybersecurity matter?” Well, if you’re vulnerable, hackers can land a virus or Trojan software in your device, and if your device contains a patient’s medical record number, for instance, they can then get into another one of the hospital’s information systems and launch an attack that way. So, you’re part of the problem; you’re a potential weakness in the hospital.
Fernando: In product development, it used to be that your engineers would write all of the code that went into your device, but as the development cycles needed to become more rapid and development processes became more agile, software engineers began taking advantage of open-sourced software in libraries, so software engineering today is like putting together a bunch of building blocks. The downside is engineers don’t necessarily think a whole lot about pulling these library components in — it becomes almost second nature — and what happens is that you might not be aware of the vulnerabilities of those components. And sometimes, if you don’t keep track of your software materials as a developer, you may not even know what components were pulled in during the development process. As a result, we’ve seen statistics showing, for instance, that 90 percent of vulnerabilities seen in software-based products are a function of third-party libraries and open-sourced software (4).
IEEE Pulse: UL worked with the previous White House administration, and met with government agencies and a wide range of industry leaders to come up with a UL cybersecurity certification for devices in 2016 that’s similar to the UL listing for electricity. How does this certification help?
Fernando: We developed the UL 2900 series of standards to serve across industries, including healthcare, to create through repeatable and reproducible testing, objective evidence that manufacturers of these products have done their due diligence in identifying vulnerabilities (5). This includes checking their products for malware, analyzing their source code for weaknesses, and doing what’s called FUD (fear, uncertainty, and doubt) testing to try to identify new exploits that people might find.
Like other UL standards, the cybersecurity standards are almost exclusively voluntary consensus standards, which means that they provide value. The U.S. Food and Drug Administration (FDA) recognizes the standards (as of August 2017), so medical device manufacturers can now use them to help get their devices through the regulatory process, because the FDA knows the developers have gone through the right set of requirements.
IEEE Pulse: What are Ivenix and Virta Labs doing on the cybersecurity front?
Gray: We are developing a new type of infusion pump and an infusion management system that is very information savvy and connected as a way to help reduce a lot of errors (6). In fact, there are approximately 1.5 million adverse drug events a year, of which infusion related errors are associated with just over half of these events. (7, 8) So, we built this new type of a system, architected as a computer with a back-end “cloud” in the hospital, that helps the infusion pumps talk to one another and learn. Given all that, you can see that we are talking about connectivity, information, and sharing data about patients, so we started out with the understanding the system must be very secure.
(To do that,) whether it’s the pump or the back-end system, we monitor for attacks. We have firewalls in multiple areas, so it’s hard to get through, and even if you get through the first firewall, there’s another one. We encrypt all of our communications using https (a secure information-sharing or web-communications protocol), and we only communicate using https. In addition, our pump initiates all communication. That’s important because any device, like any website, can be overwhelmed by someone sending in a malicious barrage of communications, which can be repetitive information requests or even just saying “hi” over and over again, so we put security in place such that the pump can tell it’s talking to an Ivenix server, and at the same time, the server through that connection can tell that it’s talking to an Ivenix pump.
Besides, of course, also encrypting all of the data, we also give the hospital the ability to press a button and essentially reset the pump at any point in time. And when I say reset the pump, I don’t mean restart it, I mean wipe out all the software, download an update of the software, and in that process, wipe off any viruses and Trojans that might be there because of a breach.
Fu: Virta Labs produces BlueFlow, a software product for hospitals to help manage the risks of their medical devices and also to protect their clinical networks. It helps hospitals visualize that risk. Here’s a classic example: A report from the FBI warns about a particular virus or ransomware that affects a certain device, and the hospital has to know within a couple of minutes which devices it needs to secure, or which devices to patch. Today, it’s very difficult, because you’d be surprised how many hospitals don’t have a handle on the medical-device inventory in their clinical networks, so they run around like chickens with their heads cut off — definitely not a very healthy workflow. Virta Labs helps with that by doing a full assessment of the inventory from a network perspective. Clinical IT staff need to know every patch level of every machine and every medical device to make decisions. After all, you can’t triage until you know your risk. In essence, hospitals need evidence-based assurance of availability of medical devices to deliver patient care despite computer-security risks.
IEEE Pulse: And Dr. Fu, what is your U-M research group doing in terms of cybersecurity?
Fu: On the research front, we specialize in understanding how to prevent sensors from being tricked into delivering false data to a medical device that is making autonomous decisions (see photo at top of article). Here, we work on the security of sensors all the way from materials up through the operating system. The idea with this kind of work is to try to be a couple of steps ahead of the bad guys, and what we’re learning is that there do not appear to be adequate design controls in place to stop an adversary from controlling the output of the sensors. For instance, we discovered that it’s quite easy to trick sensors into delivering false data by sending out malicious radio waves and malicious sounds waves (see below). And we demonstrated how a YouTube video containing music can be played on a particular smartphone and take control of the smartphone’s accelerometer, because it actually resonates material (9). It’s physics: These sound waves bubble up in the operating system, causing the operating system to make incorrect decisions.
Overall, we’re looking at risks that frontline staff wouldn’t worry about too much today, but that in 10 years, could very well be significant problems in medicine, such as pacemakers that make decisions on rate-adaptive pacing depending on a sensor, but also extend outside medicine to things like autonomous vehicles that make kinetic decisions based on sensor data, or internet-of-things devices that change their settings depending on sensors. That’s why we’re very concerned about having the technology in place to protect the integrity of sensors.
IEEE Pulse: What advice do you have for developers to keep their medical devices secure?
Gray: They should start by going to some training around cybersecurity. Like everyone I know who has gone through it, including myself, when you come back from that week or two of training, you’re really nervous because you hear about all sorts of ways that (hackers) can get at you. Then, you need to start right at the beginning to understand your vulnerabilities and figure out how you can build in mitigations to security threats as you’re developing your system. I’ve been in the business of security for a long time, and I know that it’s really hard to do this after your product is already in the hands of customers.
(As development proceeds,) you also have to put in place the right organizational processes to respond to threats quickly. It’s not uncommon that a company in the medical industry will hear that it has a cyber-threat and either respond slowly or not at all. You just can’t do that anymore. You have to be prepared to move quickly.
Fernando: Just as I mentioned earlier, new technologies will have more and more interoperability moving forward, where devices can be connected together in new ways and provide novel therapies and so on. We are seeing things like big data analytics, clinical decision support, machine learning, artificial intelligence, and augmented reality — all of these are data-centric technology areas where we’ll inevitably see cybersecurity threats and expanding attack vectors. These new devices carry a lot of potential, but to see that full potential, we will need to get past issues of cybersecurity, and the UL cybersecurity standards can help with that.
Bolting on cybersecurity measures after the fact is much more troublesome than baking it in from the start, so the best way to deploy security is to build it into the product right from concept through architecture and design cycles, and then implementation.
Fu: I think the main message is this: Cybersecurity risks come with the territory. If you’re going to use a computer and you’re going to have connectivity, then you’re unfortunately going to have real security risks, and you have to think about how to manage and mitigate those risks.
- Virta Labs, “Real Healthcare Cybersecurity.” Available online. Accessed on December 18, 2017.
- Ivenix, “Simple. Reliable. Intelligent. The future of infusion management.” Available online. Accessed on December 18, 2017.
- Vijayan, Jaikumar. “Target attack shows danger of remotely accessible HVAC systems: Qualys says about 55,000 Internet-connected heating systems, including one at the Sochi Olympic arena, lack adequate security,” ComputerWorld, February 7, 2014. Available online. Accessed on December 18, 2017.
- Corman, Joshua, “DevOps Will Save the World: Public Safety, Public Policy, and DevOps,” DevOps Enterprise Summit, October 23, 2014.
- UL, “Cybersecurity of Medical Devices and UL 2900,” 2016. Available online. Accessed on December 18, 2017.
- Ivenix note: 510(k) pending; the Ivenix Infusion System is not commercially available in the United States.
- U.S. Food and Drug Administration, “Drugs: Safe Use Initiative Fact Sheet,” May 6, 2014. Available online. Accessed on December 21, 2017.
- Kaushal, R., Bates, D. W., Landrigan, C., McKenna, K. J., Clapp, M. D., Federico, F., and Goldmann, D. A. “Medication errors and adverse drug events in pediatric inpatients,” JAMA, vol. 285, no. 16, pp. 2114-2120, April 25, 2001.
- Trippel, T., Weisse, O., Xu, W., Honeyman, P., and Fu, K. “WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks,” presented at the IEEE European Symposium on Security & Privacy, Paris, France, April 2017. Available online. Accessed on December 18, 2017.