Imagine if simply typing “password123” into a computer did not open your email account, but an internet-connected medical device responsible for feeding you drugs or monitoring your blood oxygen or insulin levels.
It may sound like the nightmare stuff of fiction, but the lack of basic cyber security on hospital equipment is attracting hackers who want to use them as a way to enter medical networks.
Experts say that while they have not yet seen someone die as a result of hacking, the risks are growing. Motives for attacks could range from wanting to harvest patient information or stealing intellectual property from medical trials to simply wanting to create chaos.
Devices with default passwords that are left unchanged, and outdated operating systems that are connected to the network, such as medical databases, are all too common in healthcare, says Greg Enriquez, chief executive of TrapX, the cyber security company that works with hospitals around the world.
The company has found security flaws in a blood gas analyser, a medical image system and radiology equipment. “We have found active malware, different strains of malware, we even found [non-activated] ransomware on one medical device [which could give the hacked the ability to prevent the device from working when it is in use],” Mr Enriquez says.
With PwC, the professional services firm, forecasting that the market for internet-connected healthcare products will be worth about $285bn by 2020, the security of medical devices is becoming a priority for manufacturers, hospitals and patients.
Regulators are also paying attention. The US Food and Drug Administration, the US regulator that has oversight of medical devices and approves their use, issued its first warning this year that a device could be tampered with by hackers.
The FDA strongly encouraged healthcare facilities to stop using the Hospira Symbiq infusion pump used to give drugs and pain medication, even though there had not been any reports of criminals accessing the device. Hospira removed the pump from the market and said it has strengthened cyber security on new pumps it is developing.
The FDA has also been running workshops for manufacturers — the next one is in January — to push for “a total product life-cycle approach, from design to obsolescence”, says Suzanne Schwartz, a director at the Center for Devices and Radiological Health at the FDA.
“This means building security early on in the design phase, addressing security in the premarket submission for new products, and ongoing post-market surveillance with proactive vulnerability management,” Dr Schwartz says.
“The reality is that bad actors intentionally look for ways to overcome cyber-security safeguards, so we always work to stay one step ahead and to take aggressive steps to stop this criminal behaviour,” she adds.
Wes Wineberg, a researcher at Synack, a cyber security company, says: “To me, it is a sector very much like the critical infrastructure industry, with a few major manufacturers and a lot of devices. So really it is just now a waiting game [until some are hacked].”
Mr Wineberg believes hospitals are in a powerful position to force change in the industry because device manufacturers will only spend the time and effort on providing what their customers want.
How hospitals and other medical providers use devices and connect them to networks will also affect how tempting they are to hackers.
Rick Judy, a principal in PwC’s health industries advisory practice, says as the vulnerabilities in these devices are “significant” and “pervasive”, the question is how many criminals have a strong motive to attack them.
He says that everyone, from the hospital IT department to the doctors and nurses on the wards, needs to learn how complex and accessible the software on medical devices has become.
“Each provider needs to carefully examine for themselves what types of risk are being brought in by new devices. They will have to give careful consideration to making sure they are kept up to date, behind firewalls and in networks segmented off from key medical and personnel data,” he says. “They will also have to make sure these devices don’t have simple default passwords.”