This week, the FDA took the unprecedented step of recalling a medical device – a pacemaker – because it was found to be vulnerable to cyber threats. The recall arose from an investigation by the FDA in February that highlighted a number of areas of non-compliance. While there are no known reports of patient harm related to the implanted devices affected by the recall, the step was taken as a preventative measure. A firmware update has been developed (and approved by the FDA) that can be applied during a patient visit with their healthcare provider.
Medical device vulnerabilities have been on the FDA’s radar for some time. In July 2015, the FDA issued an Alert highlighting cyber risks related to infusion pumps. Then, at the end of 2016, it issued what it called “guidance” on the post-market management of cybersecurity for medical devices. But aside from market pressure, there was no enforcement mechanism for any of these alerts and statements. To make matters worse, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to reduce or mitigate device security risks. Many thought leaders in the healthcare security space have been pushing for greater governance of medical devices as more and more security vulnerabilities and back doors to these devices have been discovered.
While “homicide by medical device” may seem like a far-fetched Hollywood-esque scenario right now, it’s not completely out of the realm of possibility. “The potential for immediate patient harm arising from hackers gaining control of a pacemaker is obvious, even if the ability to do so on a mass scale is theoretical,” Fussa pointed out. “For example, imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid. In this week’s recall alone, 465,000 devices are affected. An attack of this type would pose an immediate risk to all of these patients and would likely overwhelm the ability to respond.”
While it’s good news that the FDA is acting to protect patients from harm due to cyberattack, connected devices continue to pose a threat to both patients and facilities. There’s been no shortage of press on the subject, and most healthcare executives are keenly aware of the problem. However, very few have an effective or scalable solution.
Many hospital systems have in excess of 350,000 medical devices, before you even start to count the implantable ones that leave with patients. Most of these devices were never designed with security in mind, and many have multiple ways in which they can be compromised by a hacker. The fact that we are not aware of any reported patient deaths yet is a good thing, but the industry has a very short window to secure its medical device arsenal before hospitals and patients get held to ransom. Health systems need to be looking at segmentation as a compensating security control to prevent attacks, until the medical device industry catches up.
Do you have a plan in place to secure your facility’s medical devices? Are you able to segment and isolate traffic to them?
Do you have visibility into who and what is communicating with your biomed systems and do you have ransomware protection?
Having specific answers to these questions will be key to a strong, ongoing defense against attacks.
For more information on cybersecurity solutions, get the details on Cisco’s Digital Network Architecture for Healthcare and IoT Threat Defense for network-connected devices.
Read the follow-up blog which goes into more detail about the significance of the FDA recall.
Good Information , Thanks for sharing.
Thanks Richard for this post – great information.
Thanks Tom. This news represents a major shift in the governance role of the FDA, as well as a latent awakening to the risks that medical devices pose to patients and hospitals. I’m sure this will be a topical area of research and discussion over the coming weeks and months, and I look forward to sharing what we in Cisco learn.
Thanks for a marvelous posting! I quite enjoyed reading it, you will be a great author. I will be sure to bookmark your blog and will often come back very soon. I want to encourage you to ultimately continue your great job, have a nice holiday weekend!
Thanks Ellsworth. Stay tuned and check back for updates. This topic deserves additional attention. I have quite a lot more material on this subject so let me see if I can write up a follow up article for next week to go a little deeper and provide some more information for yourself and the many other readers of this story. I think its caught everyone attention!
I want to thank you for taking the time to put this together. I was not aware that medical devices could be hacked. Imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid – This is absurd. With 465,000 devices affected, it creates opportunities to pitch Cisco Cybersecurity Solutions in the Healthcare Industry (also called the Medical Industry or Health Economy), which can secure medical devices; segment and isolate traffic to medical devices; gives visibility into who and what is communicating with biomed systems; and provides a ransomware protection. I await more updates on this. Thank you.
Fredrick, thank you for your comments. You are not alone in discovering that the medical devices provided by hospitals to keep patients alive can be hacked. Depending upon the device and how much thought the manufacturer gave security in its design, devices can be either somewhat difficult to hack, requiring custom programing equipment and some Internet research, or quite easy. Just google some of the medical device hacks that have been discovered and published by security researchers, or perhaps demonstrated on stage at security conferences like ‘Black Hat’ and ‘RSA’ over the years. This is not new and the public is still woefully ignorant of the risks. Manufacturers play down these risks and slowly and quietly patch the worst vulnerabilities. The FDA which is tasked with monitoring and governing this industry has until this story broke, largely sat on the fence, accused by many of being too close to its manufacturing customers. The risk is that someone may have to die before things really start to change and manufacturers are forced into better security designs, ongoing testing, patching and support for their devices throughout their long life spans.
It is good to see that medical device data security is finally getting manufacturers attention. I believe that all of the medical devices that are networked need to be authenticated during the time they are getting attached to the network.
Most of the newer generation pacemakers have built in encryption hardware in their radios similar to what’s in current generation wifi boxes.
In order to hack into one of these older generation pacemakers you have to have access to a compatible wireless radio and have to be in a close proximity of the patient. You also need certain access information as well as the cryptic codes that are required to change the settings in the device. It can be done but it is fairly difficult.
It looks likes this particular manufacturer is adding software encryption to their pacemakers as a precaution.
Fred – You raise an interesting point, while newer medical devices have improved security, although sometimes rudimentary, there is no standard that all device manufacturers need to adhere to so overall security is mixed at best. The real problem lies with the legacy devices that have little to no security and are no longer being updated and supported by the manufacturer. There are literally millions of these devices in use every day across the world. As an industry we need to agree upon a way to protect them, until hospitals can afford to replace them.
That’s a real game changer IMO, we are no longer talking about “what ifs” with IoT and medical device vulnerabilities and thankfully it did not take patient harm to get a recall happening. I expect the manufacturer in question is not alone with vulnerabilities in their products and this may well be the first of many such products being assessed and needing to have patches applied. A more stringent SDLC is needed for these critical devices that keep hundreds of thousands of people alive. Thanks for sharing Richard.
The Abbott St Jude Medical is not alone in the risks posed by its cardiac rhythm management products as you rightly point out Mark. Since 2011 there have been a number of medical devices from a wide array of manufacturers that have been found to have major security risks right the way up to being used as unexpected execution tools.
While better security governance in the design, coding, testing and manufacturing of new medical devices is a must, so too is ongoing vulnerability assessment and patching of all devices – including ones that are 15 or 20 years old and still in service. Manufacturers have a duty of care to test and provide ongoing support and updates to security vulnerabilities discovered in their devices – but right now I don’t see much evidence of that.
Great article Richard. There’s a need to protect patients, so that attackers, for example, can’t hack an insulin pump to administer a fatal dose. Also a the huge array of sensors and monitors provides potential entry points to larger hospital networks. US hospitals currently average 10 to 15 connected devices per bed and some hospitals can have over 5,000 beds which provides the potential for many comprimises.
FDA guidance on medical devices says manufacturers have an obligation to consider the cybersecurity of their devices during design and throughout the operating life of that device. FDA also encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur.
Its not just the bedside devices for patient monitoring or treatment that we need to consider, but the wider array of diagnostic imaging, surgery robots, medical lasers, surgical anesthetic systems, and pharmacy robots. No one wants to fried during a simple x-ray, or receive the wrong morphine or insulin dosage from their infusion pump. Medical devices are growing at a global average of 20% per-annum, so the problem of securing these devices is actually increasing rather than going away over time, despite more secure newer systems.
While the FDA has provided broad guidance on the securing of medical devices, this is the first action that we have so far seen with regard to actual intervention in an obvious security risk. Had it not been for the Muddy Waters investigation in 2016 and the resulting media storm, I have grave doubts that the FDA would have got involved. Historically it hasn’t. What is needed is enforcement of a set of minimal compulsory security controls for all medical devices, that includes security as part of device design, thorough and ongoing penetration and vulnerability testing by manufacturers, and ongoing support for patches and updates to fix discovered vulnerabilities.
Thank you for sharing such a nice and interesting blog with us. Hope it might be much useful for us. Keep on updating…!!
Check back at blogs.cisco.com later this week for a follow up article to this story. Glad you enjoyed this one,
This is alarming and fascinating at the same time.
Thanks Joe for your comment. Check out the follow-up post today which goes in to more details around the reasons FDA felt it had to act.
Great article Richard, whilst the prospect of medical devices being hijacked is terrifying it’s great that the FDA are doing this. All IOT style manufacturers should be considering security as a natural matter of course – not an afterthought.
FDA has not exactly been proactive as far as I have seen till this case. (See the follow up article to this one for details). The whole medical device / IoT security space needs a major change in focus and multiple improvements in oversight.
This is a great article that needs to posted and discussed amongst the BioMedical Engineers, IT department, Risk Management and the Information Security. Although these departments are under one roof or umbrella, they are very much independent and that is where the problem lies. It takes the FDA, to bring attention to this problem. Looking forward in more about this.
I believe it was the public that forced the issue here as a result of the very public disclosure of the Muddy Waters following their vulnerability testing. FDA has chosen in the past to play a low key role. That probably needs to change moving forward.