Patient Safety Concerns Grow Over Medical Gear SecurityRecent Cyber-Related Incidents Spotlight the Serious Potential Risks Facing Patients
The expanded recall this week of certain insulin pump devices due to vulnerabilities that pose the risk of injury or even death to patients and a recent malpractice lawsuit alleging that the effects of a ransomware attack led to a baby's death are the latest warnings of potential safety dangers posed by security issues involving medical devices and other healthcare IT systems.
On Tuesday, federal regulators and medical device maker Medtronic announced the expanded recall - a recall that was first announced in 2018 - of remote controllers used with certain Medtronic insulin pumps.
In separate advisories, the Food and Drug Administration, the Department of Homeland Security and Medtronic all warn that if successfully exploited, the security vulnerabilities identified by an independent researcher could allow an attacker to interfere with the dose of medication dispensed to patients - potentially resulting in injury or death (see: Medtronic Insulin Pump Devices Recalled Due to Serious Risks).
Meanwhile, last week, news broke about a malpractice lawsuit filed by a mother in Alabama who alleges that the death of her baby born with serious complications was due to clinicians being unable to access timely data from fetal monitoring systems and patient electronic medical records while she was in labor as the hospital was dealing with a ransomware attack in 2019 (see: Lawsuit: Hospital's Ransomware Attack Led to Baby's Death).
Those and other related recent developments in the healthcare sector are raising the specter of how cybersecurity incidents can not only lead to compromises of patients' sensitive health and personal information, but can also potentially have fatal consequences.
"There is mounting evidence and feeling by professionals in health IT that cyber events have adverse impacts on patient care and safety," says Mac McMillan, CEO of privacy and security consulting firm CynergisTek.
"So I think we will see more such alerts when a vulnerability is detected in a device used to deliver care to patients" he notes. "Doing less would be irresponsible at best and neglect at its worst."
A recent study by research firm Ponemon Institute and cybersecurity risk management firm Censinet found that 22% of the respondents - who were all IT and security professionals at healthcare delivery organizations experiencing ransomware attacks - believe the incidents resulted in an increase in patient mortality.
But that's not all. Seventy-one percent of the respondents reported that ransomware attacks resulted in longer length of stays for patient, 70% reported delays in procedures and tests, 65% reported an increase in patient transfers or facility diversions and 36% reported an increase in complications from medical procedures.
"Devices are susceptible to all the same threats that other computer devices are at risk from, but each has their own unique set of vulnerabilities. So manufacturers and institutions need to diligently test and pay attention to how they are deployed and used," McMillan says.
Ransomware and Devices
Ransomware attacks in recent months have had broad system impacts affecting different sectors of critical infrastructure, including healthcare, says Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA's Center for Devices and Radiological Health, in a statement to Information Security Media Group.
"Within the realm of medical device performance, a ransomware attack can be a manifestation of shortcomings in - or absence of - threat models during early medical device design," she says.
For instance, if a medical device depends on the real-time availability of a cloud, then that device needs to be designed to remain available for safe and effective use even if ransomware causes a disruption to the cloud, she says.
There are other emerging worrisome security challenges involving medical devices, says Michael Holt, president and CEO of healthcare cybersecurity firm Virta Labs.
They include management of artificial intelligence and machine-learning systems such as picture archiving and communication systems, or PACS, and other patient monitoring systems in which "data poisoning and other threats could impact automated diagnoses and treatments," he notes.
"If a certain threshold or variable is manipulated, then you may miss an event or take action when not needed."
Other challenges, Holt says, include tracking medical devices in the field post-purchase and keeping up with detection and response for software bill of materials vulnerabilities.
Risks From Other Devices
Medical devices used in hospitals and other traditional healthcare settings are not the only ones subject to growing security risks that could lead to safety issues, some experts note.
"We know telehealth and remote care are becoming both compelling value propositions for hospitals and simultaneously a strong concern for the CIOs and CISOs who will have to manage their security," says Elad Luz, who heads up research at healthcare security firm CyberMDX.
"This presents a whole new set of issues as many of the devices you need to protect will not be on premises, and it’s definitely something that will require proper planning and resources," he says.
"The earlier they begin, the better."
The FDA's Schwartz says that healthcare delivery organizations should be mindful of preventative measures to improve resilience to ransomware affecting the safety or efficacy of medical devices. She suggests entities tap into publicly available resources to which the FDA has contributed best practice guidelines. Those include the Healthcare Sector Coordinating Council’s Joint Security Plan, the Healthcare Industry Cybersecurity Practices and the International Medical Device Regulators Forum Principles and Practices for Medical Device Cybersecurity, which was published in 2020.
"With this knowledge, healthcare delivery organizations can better convey recommendations to medical device manufacturers should they appear to not be following best practices or FDA recommendations," Schwartz notes.
When it comes to medical devices and potential ransomware or other cyber incidents, healthcare providers "should be wary of the training and performance of AI/ML network-based security systems for segmentation, policy enforcement, and anomaly detection," Holt warns.
"There is no silver network monitoring bullet for healthcare entities and you cannot just bolt on security in production environments when you don’t have a real baseline over the network for normal behavior."
"Cybersecurity is a shared responsibility among all parts of the healthcare ecosystem, including patients."
—Dr. Suzanne Schwartz, FDA
But new startups working on edge security solutions can configure cloud policies for remote vendor access to facilitate quicker software updates, he notes.
McMillan says healthcare entities also can implement technologies that help locate, assess and support "smart deployment" of medical devices.
"They should incorporate security into their routine maintenance and operational activities to insure vulnerabilities are addressed expeditiously," he says.
Healthcare provider organizations can also isolate and apply compensatory protections where possible. "Most importantly they can look to refresh legacy devices with issues with new devices that are more secure," according to McMillan.
Meanwhile, medical device manufacturers "should also take more risky or innovative approaches, such as polymorphing operating systems, developing a tech-based clearinghouse for vulnerabilities, or baselining the power side channel to build in security around known operating parameters," Holt says.
As for the regulators, he suggests that the FDA consider additional manufacturer clarifications around the design and timelines for approval or modification of devices, in an effort to accelerate medical device security innovations.
"The FDA should consider options for stimulating hospital human resources for tracking incidents, getting hands-on with devices, and dealing with the significant volume of alerts that require manual labor being overlooked in favor of fancy detection approaches when the windows are unfortunately left open."
McMillan says handling cybersecurity and related safety issues involving medical gear takes a team effort. "The FDA cannot do all of this on their own. They need the rest of the community to assist in implementing the guidance and holding everyone accountable."
Schwartz notes that patients also play an important role. "Cybersecurity is a shared responsibility among all parts of the healthcare ecosystem, including patients," she says. "There are many resources available to patients that can help them better understand the cybersecurity of their devices, as well as opportunities to take an active role in keeping their devices cybersecure."
This week, the FDA issued a best practices document for healthcare industry stakeholders and government agencies to use when communicating medical device vulnerabilities to patients and caregivers.
The announced expanded recall this week of the insulin pump remote controllers "is an update to the recall initiated in August 2018," Medtronic says in a statement provided to ISMG.
The company says it is working closely with industry regulators and researchers, taking concrete actions to enhance device security and making "significant investments to improve device security protection."