Cyber security may be expensive, but the cost of a life is more
By: Giselle C. Matlis, Research Assistant
Imagine someone hacks your Facebook account. You freak out, then figure a way to get the hackers out of your account, notify Facebook, change your password and move on. Problem solved.
But what if the hacked system isn’t your Facebook? Instead it’s a pacemaker in someone’s heart, or an entire hospital’s records and devices. What would you do then?
In recent years, there have been many life-changing medical devices innovations that have helped thousands of people. Connecting devices to the internet and hospital networks has contributed to this influx. Medical device connectivity enables doctors to monitor and administer drugs to their patients from a far, allowing patients to live more normal lives. Connecting them to the internet also helps to electronically update patient charts, minimizing the risk of transcription errors and drives improved patient outcomes.The goal of connected medical devices and aggregated data is to assist physicians in making informed decisions for treatment.
As devices have been improved and developed, so have hacking capabilities. The Food and Drug Administration (FDA) has been recommending different processes to help promote cyber security to combat cyber-attacks; but this may not be enough. The FDA has noted that although no one has been injured or killed by a cyber-attack, it is still a pressing issue that could become dangerous very quickly.
According to the FDA, cyber hacks have become more frequent because “[m]edical devices… can be vulnerable to security breaches…This vulnerability increases as medical devices are increasingly connected to the Internet, hospital networks…” (“Postmarket Management of Cybersecurity in Medical Devices”). Advances in medical technology has increased risk of cyber attacks, so the medical community needs to be proactive to ensure the safety of patients.
In the past few years, multiple attacks occurred throughout the US and the world. In May 2017, the UK had a number of cyber security breaches where MRI machines, pharmacy systems, and chemical dispensers were hacked by the WannaCry virus (a system that hackers are using to attack hospitals and demand ransom). This system has attacked hospitals in US. However, the hospital names have not been released – which adds to the problem of awareness of attacks because hospitals and manufacturers do not want negative publicity. According to Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council, “likely a wide range of medical systems were taken down by WannaCry”.
Additionally, in August 2017, the FDA confirmed that St. Jude Medical’s RF-enabled implantable cardiac pacemakers are hackable by commercially available equipment. The FDA stated that the equipment “could be used to modify… the implanted pacemaker, which could result in patient harm”. As a result, the FDA approved an update to the system where an access code is needed to adjust the device and advised the medical community to discuss the risks with their patients but not to alarm them. The FDA then used this opportunity to acknowledge that putting devices on a network is risky, but the benefits outweigh the risks.
Perhaps the most frightening case occurred in February 2016, at the Hollywood Presbyterian Medical Center in California. The hospital staff was locked out of their system by the “ransomware” virus. The hospital paid a $17,000 ransom to get control of their system – thankfully no one was injured. This was the first time a hack was successful and publicized, which began to open people’s eyes to the potentially large-scale problem and catastrophic effects of hacks.
The FDA cannot regulate cyber security without congress’s approval, but they have been trying to educate manufacturers. Since the FDA does not test premarket devices for cyber security (because it is the manufacturer’s job), they’ve held webinars and published guidance and recommendations to help manufacturers in the right direction.
The concern is that manufacturers and hospitals will not take the recommendations seriously without formal regulation. According to Suzanne Schwartz, acting director of emergency preparedness and medical countermeasures at the FDA’s Center for Devices and Radiological Health, companies and hospitals are not acting as quickly because attacks haven’t occurred on a large-scale: “A sector matures as a result of being hurt a few times”. So far, the medical world has not been catastrophically affected so no one is worrying about it – the fear is that with this mentality, the FDA’s suggestions will not be taken seriously.
In the end, I think that the positive outcome from medical devices being connected to the internet is incredible and should continue. However, serious cyber security regulation should be implemented so that no one can use these devices to hurt patients. As stated above, FDA is doing what they can. It is really up to Congress and the manufacturers to ensure that the right security is put into place AND that the FDA should be allowed to regulate cyber security. Cyber security may be expensive, but the cost of a life is more. For many people, these devices give them life – it would be detrimental if these devices also took that life away just because the right precautions were not taken.