Threat matrix: Malware and hacking pose dangers to medical devices
May 24, 2013 in Medical Technology
The scene from the Showtime series Homeland is tough to watch: The Vice President of the United States, dying slowly as his heart beats faster. His pacemaker – a delicate implanted device, accessed and altered from some distant computer by a terrorist who’d learned its serial number – is going haywire.
It could happen, said Tim Zoph, CIO of Chicago’s Northwestern Memorial Hospital, speaking at the Healthcare IT News/HIMSS Media Privacy Security Forum this past December.
“Fact or fiction?” Zoph asked, clutching an innocuous looking black box – a wireless transmitter used to give instructions to pacemakers – as he scanned the audience.
“The fact is,” he said, “they’re not secure.”
As healthcare becomes ever more interconnected, especially as myriad wireless medical devices start linking up with complex and Web-enabled IT systems, these technologies are increasingly vulnerable. Not just to nefarious hackers, lurking in the shadows, but to more mundane (but no less dangerous) threats such as malware and the common computer virus.
[See also: Safety demands better device integration]
“We’re starting to attach [medical devices] to electronic health records, and they’re not secure,” said Zoph. “We’re not doing it with security in mind.”
The vulnerabilities are glaring, even as the number and types of threats increase. So far neither device manufacturers nor federal regulators have been able to come up with fail-safe protections from an ever-mutating menace.
Meanwhile, patient safety for hundreds of thousands of people remains at risk.
Fixing a hole
There have been plenty of hair-raising headlines lately: “Insulin pump hack delivers fatal dosage over the air.” “Pacemaker hack can deliver deadly 830-volt jolt.” “Vulnerable medical devices: A clear and present danger.”
“You’re going to hear a lot about worse-case-scenarios, but I think patients, by and large, should be concerned about the more average things,” said Kevin Fu, a professor of computer science and engineering at the University of Michigan who specializes in medical device security.
By “more average,” Fu means the sorts of things that could happen to a plain old PC, any day of he week, thanks to something as mundane as an email that shouldn’t have been opened or a link that shouldn’t have been clicked.