Medical Device Cybersecurity Deficiencies Pose Wide Ranging Threats, RSA Conference Told

A recent presentation at a major cybersecurity conference highlighted the potential risks Americans face from hacking threats involving medical devices, including products manufactured by St. Jude Medical and Johnson & Johnson. 

The presentation was given by Daniel Miessler, Director of Advisory Services with IOActive, Inc. at the RSA Data Security Conference in San Francisco earlier this month. According to the presentation (PDF), not only are some medical devices particularly vulnerable to hacking, but some hospitals have already been hacked and forced to pay hefty ransoms to keep their data from being released.

Miessler highlighted a number of vulnerabilities found with St. Jude pacemakers, which included a “wireless god key” that may provide remote access to the devices. He also warned that the Johnson & Johnson Animus OneTouch Ping insulin pump had unencrypted command traffic, which could be hacked and used to send unauthorized, potentially lethal, insulin injections.

There have also been a number of U.S. hospitals whose systems were hacked. Miessler mentioned a cybersecurity attack at Hollywood Presbyterian Medical Center, which was hacked in February 2016. The hospital’s system was infected with malware, which stopped staff from being able to communicate using its computers. The hospital was only allowed to regain control after it paid $17,000 ransom through bitcoin.

In at least one case where a hospital refused to pay, part of the facility had to be shut down until control could be regained. As a result of the cybersecurity problems, some hospitalized patients had to be moved, which may have impacted care.

The United States isn’t the only country facing medical device cybersecurity risks. Health trusts have been hacked in the U.K. and Germany as well, and Miessler noted that in most cases, the hospitals have to pay ransom through bitcoin, which few understand. Some have even hired law firms to buy bitcoin in case they are hit by the malicious software, which is becoming known as ransomware.

The presentation comes after the FDA issued new guidance on medical device cybersecurity late last year.

The health regulatory agency is recommending that medical device manufacturers strongly consider following the finalized guidelines, which indicate that manufacturers should monitor and detect potential cyber security vulnerabilities in their devices, research to understand and assess the level of risk and vulnerabilities to patients, and establish a process of cyber security information sharing among manufacturers to prevent hacking risks.

The agency is calling for manufacturers to design medical device software with the capability of being upgraded, so that it can combat newly found vulnerabilities for the duration of the device’s life span. A product that cannot be upgraded could put patients at risk and become obsolete quickly. This approach allows manufacturers to ensure the safety and effectiveness of the medical devices at all stages and encourages continuous quality improvement, the FDA indicates.

In January, the FDA issued a safety communication regarding the vulnerabilities in St. Jude heart implants.

The investigation began after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings that suggested the St. Jude’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

In response to the concerns, St. Jude formed a Cyber Security Medical Advisory Board in October 2016. In January, the company announced in a press release that it was releasing a cybersecurity update for Merlin@home to patch some of the holes in its security.

Medical Device Cybersecurity Concerns

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, 2016, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.